Practice Free PT0-003 Exam Online Questions
Question #41
A tester is working on an engagement that has evasion and stealth requirements.
Which of the following enumeration methods is the least likely to be detected by the IDS?
- A . curl https://api.shodan.io/shodan/host/search?key=<API_KEY>&query=hostname:<target>
- B . proxychains nmap -sV -T2 <target>
- C . for i in <target>; do curl -k $i; done
- D . nmap -sV -T2 <target>
Correct Answer: A
A
Explanation:
Option A uses Shodan’s API to gather information about a target without directly touching the target system. This makes it the stealthiest option as there’s no traffic generated from the tester’s IP to the target.
Options B & D use Nmap which is active scanning, and while -T2 reduces intensity, it still generates packets.
Option C is a custom curl script that also interacts directly with the target and can trigger IDS alerts.
CompTIA PenTest+
Reference: PT0-003 Objective 2.1 & 2.3: Passive vs Active reconnaissance techniques.
Using OSINT sources like Shodan is a key stealth recon method.
A
Explanation:
Option A uses Shodan’s API to gather information about a target without directly touching the target system. This makes it the stealthiest option as there’s no traffic generated from the tester’s IP to the target.
Options B & D use Nmap which is active scanning, and while -T2 reduces intensity, it still generates packets.
Option C is a custom curl script that also interacts directly with the target and can trigger IDS alerts.
CompTIA PenTest+
Reference: PT0-003 Objective 2.1 & 2.3: Passive vs Active reconnaissance techniques.
Using OSINT sources like Shodan is a key stealth recon method.
Question #42
While conducting OSINT, a penetration tester discovers the client’s administrator posted part of an unsanitized firewall configuration to a troubleshooting message board.
Which of the following did the penetration tester most likely use?
- A . HTML scraping
- B . Public code repository scanning
- C . Wayback Machine
- D . Search engine enumeration
Correct Answer: D
D
Explanation:
Search engine enumeration refers to using advanced search operators (e.g., Google Dorking) to find sensitive or misconfigured data exposed publicly on the internet. In this case, the administrator inadvertently posted firewall configuration details, and a tester likely used specific search queries to discover this data.
According to the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 3 C Passive Reconnaissance and OSINT):
“Search engine enumeration, often using dorking techniques, can uncover publicly available but sensitive data, such as configuration files, credentials, or documents unintentionally published online.”
Reference: Chapter 3, CompTIA PenTest+ PT0-003 Official Study Guide ===========
D
Explanation:
Search engine enumeration refers to using advanced search operators (e.g., Google Dorking) to find sensitive or misconfigured data exposed publicly on the internet. In this case, the administrator inadvertently posted firewall configuration details, and a tester likely used specific search queries to discover this data.
According to the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 3 C Passive Reconnaissance and OSINT):
“Search engine enumeration, often using dorking techniques, can uncover publicly available but sensitive data, such as configuration files, credentials, or documents unintentionally published online.”
Reference: Chapter 3, CompTIA PenTest+ PT0-003 Official Study Guide ===========
Question #43
A penetration tester wants to maintain access to a compromised system after a reboot.
Which of the following techniques would be best for the tester to use?
- A . Establishing a reverse shell
- B . Executing a process injection attack
- C . Creating a scheduled task
- D . Performing a credential-dumping attack
Correct Answer: C
C
Explanation:
To maintain persistence after a reboot, the tester needs a method that automatically restarts when the system reboots.
Option A (Reverse shell) ❌ : Reverse shells do not persist after a reboot unless paired with scheduled tasks or registry modifications.
Option B (Process injection) ❌ : Injecting into a process is temporary―once the system reboots, the injected process is gone.
Option C (Scheduled task) ✅ : Correct.
A scheduled task can execute malware, reverse shells, or scripts on system startup, ensuring
persistence.
Example:
schtasks /create /sc onlogon /tn "SystemUpdate" /tr "C:malicious.exe"
Option D (Credential dumping) ❌ : While useful for privilege escalation, it does not provide persistence.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Persistence Techniques
C
Explanation:
To maintain persistence after a reboot, the tester needs a method that automatically restarts when the system reboots.
Option A (Reverse shell) ❌ : Reverse shells do not persist after a reboot unless paired with scheduled tasks or registry modifications.
Option B (Process injection) ❌ : Injecting into a process is temporary―once the system reboots, the injected process is gone.
Option C (Scheduled task) ✅ : Correct.
A scheduled task can execute malware, reverse shells, or scripts on system startup, ensuring
persistence.
Example:
schtasks /create /sc onlogon /tn "SystemUpdate" /tr "C:malicious.exe"
Option D (Credential dumping) ❌ : While useful for privilege escalation, it does not provide persistence.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Persistence Techniques
Question #44
A penetration tester is conducting reconnaissance on a target network. The tester runs the following Nmap command: nmap -sv -sT -p – 192.168.1.0/24.
Which of the following describes the most likely purpose of this scan?
- A . OS fingerprinting
- B . Attack path mapping
- C . Service discovery
- D . User enumeration
Correct Answer: C
C
Explanation:
The Nmap command nmap -sv -sT -p- 192.168.1.0/24 is designed to discover services on a network.
Here is a breakdown of the command and its purpose:
Command Breakdown:
nmap: The network scanning tool.
-sV: Enables service version detection. This option tells Nmap to determine the version of the services running on open ports.
-sT: Performs a TCP connect scan. This is a more reliable method of scanning as it completes the TCP handshake but can be easily detected by firewalls and intrusion detection systems.
-p-: Scans all 65535 ports. This ensures a comprehensive scan of all possible TCP ports.
C
Explanation:
The Nmap command nmap -sv -sT -p- 192.168.1.0/24 is designed to discover services on a network.
Here is a breakdown of the command and its purpose:
Command Breakdown:
nmap: The network scanning tool.
-sV: Enables service version detection. This option tells Nmap to determine the version of the services running on open ports.
-sT: Performs a TCP connect scan. This is a more reliable method of scanning as it completes the TCP handshake but can be easily detected by firewalls and intrusion detection systems.
-p-: Scans all 65535 ports. This ensures a comprehensive scan of all possible TCP ports.
Question #45
A penetration tester presents the following findings to stakeholders:
Control | Number of findings | Risk | Notes
Encryption | 1 | Low | Weak algorithm noted
Patching | 8 | Medium | Unsupported systems
System hardening | 2 | Low | Baseline drift observed
Secure SDLC | 10 | High | Libraries have vulnerabilities
Password policy | 0 | Low | No exceptions noted
Based on the findings, which of the following recommendations should the tester make? (Select two).
- A . Develop a secure encryption algorithm.
- B . Deploy an asset management system.
- C . Write an SDLC policy.
- D . Implement an SCA tool.
- E . Obtain the latest library version.
- F . Patch the libraries.
Correct Answer: D,E
D,E
Explanation:
Based on the findings, the focus should be on addressing vulnerabilities in libraries and ensuring their security.
Here’s why options D and E are correct: Implement an SCA Tool:
SCA (Software Composition Analysis) tools are designed to analyze and manage open-source components in an application. Implementing an SCA tool would help in identifying and managing vulnerabilities in libraries, aligning with the finding of vulnerable libraries in the secure SDLC process. This recommendation addresses the high-risk finding related to the Secure SDLC by providing a systematic approach to manage and mitigate vulnerabilities in software dependencies. Obtain the Latest Library Version:
Keeping libraries up to date is a fundamental practice in maintaining the security of an application. Ensuring that the latest, most secure versions of libraries are used directly addresses the high-risk finding related to vulnerable libraries.
This recommendation is a direct and immediate action to mitigate the identified vulnerabilities.
Other Options Analysis:
Develop a Secure Encryption Algorithm: This is not practical or necessary given that the issue is with the use of a weak algorithm, not the need to develop a new one.
Deploy an Asset Management System: While useful, this is not directly related to the identified high-risk issue of vulnerable libraries.
Write an SDLC Policy: While helpful, the more immediate and effective actions involve implementing tools and processes to manage and update libraries.
Reference from Pentest:
Horizontall HTB: Demonstrates the importance of managing software dependencies and using tools to identify and mitigate vulnerabilities in libraries.
Writeup HTB: Highlights the need for keeping libraries updated to ensure application security and mitigate risks.
Conclusion:
Options D and E, implementing an SCA tool and obtaining the latest library version, are the most appropriate recommendations to address the high-risk finding related to vulnerable libraries in the Secure SDLC process.
D,E
Explanation:
Based on the findings, the focus should be on addressing vulnerabilities in libraries and ensuring their security.
Here’s why options D and E are correct: Implement an SCA Tool:
SCA (Software Composition Analysis) tools are designed to analyze and manage open-source components in an application. Implementing an SCA tool would help in identifying and managing vulnerabilities in libraries, aligning with the finding of vulnerable libraries in the secure SDLC process. This recommendation addresses the high-risk finding related to the Secure SDLC by providing a systematic approach to manage and mitigate vulnerabilities in software dependencies. Obtain the Latest Library Version:
Keeping libraries up to date is a fundamental practice in maintaining the security of an application. Ensuring that the latest, most secure versions of libraries are used directly addresses the high-risk finding related to vulnerable libraries.
This recommendation is a direct and immediate action to mitigate the identified vulnerabilities.
Other Options Analysis:
Develop a Secure Encryption Algorithm: This is not practical or necessary given that the issue is with the use of a weak algorithm, not the need to develop a new one.
Deploy an Asset Management System: While useful, this is not directly related to the identified high-risk issue of vulnerable libraries.
Write an SDLC Policy: While helpful, the more immediate and effective actions involve implementing tools and processes to manage and update libraries.
Reference from Pentest:
Horizontall HTB: Demonstrates the importance of managing software dependencies and using tools to identify and mitigate vulnerabilities in libraries.
Writeup HTB: Highlights the need for keeping libraries updated to ensure application security and mitigate risks.
Conclusion:
Options D and E, implementing an SCA tool and obtaining the latest library version, are the most appropriate recommendations to address the high-risk finding related to vulnerable libraries in the Secure SDLC process.
Question #46
During a web application assessment, a penetration tester identifies an input field that allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt, presenting a text box when browsing to the page going forward.
Which of the following types of attacks is this an example of?
- A . SQL injection
- B . SSRF
- C . XSS
- D . Server-side template injection
Correct Answer: C
C
Explanation:
Cross-Site Scripting (XSS) is an attack that involves injecting malicious scripts into web pages viewed by other users.
Here’s why option C is correct:
XSS (Cross-Site Scripting): This attack involves injecting JavaScript into a web application, which is then executed by the user’s browser. The scenario describes injecting a JavaScript prompt, which is a typical XSS payload.
SQL Injection: This involves injecting SQL commands to manipulate the database and does not relate to JavaScript injection.
SSRF (Server-Side Request Forgery): This attack tricks the server into making requests to unintended locations, which is not related to client-side JavaScript execution.
Server-Side Template Injection: This involves injecting code into server-side templates, not JavaScript
that executes in the user’s browser.
Reference from Pentest:
Horizontall HTB: Demonstrates identifying and exploiting XSS vulnerabilities in web applications. Luke HTB: Highlights the process of testing for XSS by injecting scripts and observing their execution in the browser.
C
Explanation:
Cross-Site Scripting (XSS) is an attack that involves injecting malicious scripts into web pages viewed by other users.
Here’s why option C is correct:
XSS (Cross-Site Scripting): This attack involves injecting JavaScript into a web application, which is then executed by the user’s browser. The scenario describes injecting a JavaScript prompt, which is a typical XSS payload.
SQL Injection: This involves injecting SQL commands to manipulate the database and does not relate to JavaScript injection.
SSRF (Server-Side Request Forgery): This attack tricks the server into making requests to unintended locations, which is not related to client-side JavaScript execution.
Server-Side Template Injection: This involves injecting code into server-side templates, not JavaScript
that executes in the user’s browser.
Reference from Pentest:
Horizontall HTB: Demonstrates identifying and exploiting XSS vulnerabilities in web applications. Luke HTB: Highlights the process of testing for XSS by injecting scripts and observing their execution in the browser.
Question #47
During a security assessment, a penetration tester gains access to an internal server and manipulates some data to hide its presence.
Which of the following is the best way for the penetration tester to hide the activities performed?
- A . Clear the Windows event logs.
- B . Modify the system time.
- C . Alter the log permissions.
- D . Reduce the log retention settings.
Correct Answer: A
A
Explanation:
During a penetration test, one of the critical steps for maintaining access and covering tracks is to clear evidence of the attack. Manipulating data to hide activities on an internal server involves ensuring that logs and traces of the attack are removed.
Here’s a detailed explanation of why clearing the Windows event logs is the best method for this scenario:
Understanding Windows Event Logs: Windows event logs are a key forensic artifact that records system, security, and application events. These logs can provide detailed information about user activities, system changes, and potential security incidents.
Why Clear Windows Event Logs:
Comprehensive Coverage: Clearing the event logs removes all recorded events, including login attempts, application errors, and security alerts. This makes it difficult for an investigator to trace back the actions performed by the attacker.
Avoiding Detection: Penetration testers clear event logs to ensure that their presence and activities are not detected by system administrators or security monitoring tools.
Method to Clear Event Logs:
Use the built-in Windows command line utility wevtutil to clear logs.
For example:
shell
Copy code
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
These commands clear the System, Security, and Application logs, respectively.
Alternative Options and Their Drawbacks:
Modify the System Time: Changing the system time can create confusion but is easily detectable and can be reverted. It does not erase existing log entries.
Alter Log Permissions: Changing permissions might prevent new entries but does not remove existing ones and can alert administrators to suspicious activity.
Reduce Log Retention Settings: This can limit future logs but does not affect already recorded logs
and can be easily noticed by administrators.
Case
Reference: HTB Writeups: Many Hack The Box (HTB) writeups demonstrate the importance of clearing logs post-exploitation to maintain stealth.
For example, in the "Gobox" and "Writeup" machines, maintaining a low profile involved managing log data to avoid detection.
Real-World Scenarios: In real-world penetration tests, attackers often clear logs to avoid detection by forensic investigators and incident response teams. This step is crucial during red team engagements and advanced persistent threat (APT) simulations.
In conclusion, clearing Windows event logs is a well-established practice for hiding activities during a penetration test. It is the most effective way to remove evidence of the attack from the system, thereby maintaining stealth and ensuring that the tester’s actions remain undetected.
A
Explanation:
During a penetration test, one of the critical steps for maintaining access and covering tracks is to clear evidence of the attack. Manipulating data to hide activities on an internal server involves ensuring that logs and traces of the attack are removed.
Here’s a detailed explanation of why clearing the Windows event logs is the best method for this scenario:
Understanding Windows Event Logs: Windows event logs are a key forensic artifact that records system, security, and application events. These logs can provide detailed information about user activities, system changes, and potential security incidents.
Why Clear Windows Event Logs:
Comprehensive Coverage: Clearing the event logs removes all recorded events, including login attempts, application errors, and security alerts. This makes it difficult for an investigator to trace back the actions performed by the attacker.
Avoiding Detection: Penetration testers clear event logs to ensure that their presence and activities are not detected by system administrators or security monitoring tools.
Method to Clear Event Logs:
Use the built-in Windows command line utility wevtutil to clear logs.
For example:
shell
Copy code
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
These commands clear the System, Security, and Application logs, respectively.
Alternative Options and Their Drawbacks:
Modify the System Time: Changing the system time can create confusion but is easily detectable and can be reverted. It does not erase existing log entries.
Alter Log Permissions: Changing permissions might prevent new entries but does not remove existing ones and can alert administrators to suspicious activity.
Reduce Log Retention Settings: This can limit future logs but does not affect already recorded logs
and can be easily noticed by administrators.
Case
Reference: HTB Writeups: Many Hack The Box (HTB) writeups demonstrate the importance of clearing logs post-exploitation to maintain stealth.
For example, in the "Gobox" and "Writeup" machines, maintaining a low profile involved managing log data to avoid detection.
Real-World Scenarios: In real-world penetration tests, attackers often clear logs to avoid detection by forensic investigators and incident response teams. This step is crucial during red team engagements and advanced persistent threat (APT) simulations.
In conclusion, clearing Windows event logs is a well-established practice for hiding activities during a penetration test. It is the most effective way to remove evidence of the attack from the system, thereby maintaining stealth and ensuring that the tester’s actions remain undetected.
Question #48
A penetration tester completed OSINT work and needs to identify all subdomains for mydomain.com.
Which of the following is the best command for the tester to use?
- A . nslookup mydomain.com » /path/to/results.txt
- B . crunch 1 2 | xargs -n 1 -I ‘X’ nslookup X.mydomain.com
- C . dig @8.8.8.8 mydomain.com ANY » /path/to/results.txt
- D . cat wordlist.txt | xargs -n 1 -I ‘X’ dig X.mydomain.com
Correct Answer: D
D
Explanation:
Using dig with a wordlist to identify subdomains is an effective method for subdomain enumeration. The command cat wordlist.txt | xargs -n 1 -I ‘X’ dig X.mydomain.com reads each line from wordlist.txt and performs a DNS lookup for each potential subdomain.
Command Breakdown:
cat wordlist.txt: Reads the contents of wordlist.txt, which contains a list of potential subdomains.
xargs -n 1 -I ‘X’: Takes each line from wordlist.txt and passes it to dig one at a time.
dig X.mydomain.com: Performs a DNS lookup for each subdomain.
Why This is the Best Choice:
Efficiency: xargs efficiently processes each line from the wordlist and passes it to dig for DNS resolution.
Automation: Automates the enumeration of subdomains, making it a practical choice for large lists.
Benefits:
Automates the process of subdomain enumeration using a wordlist.
Efficiently handles a large number of subdomains.
Reference from Pentesting Literature:
Subdomain enumeration is a critical part of the reconnaissance phase in penetration testing. Tools like dig and techniques involving wordlists are commonly discussed in penetration testing guides. HTB write-ups often detail the use of similar commands for efficient subdomain enumeration. Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
D
Explanation:
Using dig with a wordlist to identify subdomains is an effective method for subdomain enumeration. The command cat wordlist.txt | xargs -n 1 -I ‘X’ dig X.mydomain.com reads each line from wordlist.txt and performs a DNS lookup for each potential subdomain.
Command Breakdown:
cat wordlist.txt: Reads the contents of wordlist.txt, which contains a list of potential subdomains.
xargs -n 1 -I ‘X’: Takes each line from wordlist.txt and passes it to dig one at a time.
dig X.mydomain.com: Performs a DNS lookup for each subdomain.
Why This is the Best Choice:
Efficiency: xargs efficiently processes each line from the wordlist and passes it to dig for DNS resolution.
Automation: Automates the enumeration of subdomains, making it a practical choice for large lists.
Benefits:
Automates the process of subdomain enumeration using a wordlist.
Efficiently handles a large number of subdomains.
Reference from Pentesting Literature:
Subdomain enumeration is a critical part of the reconnaissance phase in penetration testing. Tools like dig and techniques involving wordlists are commonly discussed in penetration testing guides. HTB write-ups often detail the use of similar commands for efficient subdomain enumeration. Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #49
A penetration tester is researching a path to escalate privileges.
While enumerating current user privileges, the tester observes the following:
SeAssignPrimaryTokenPrivilege Disabled
SeIncreaseQuotaPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeManageVolumePrivilege Enabled
SeImpersonatePrivilege Enabled
SeCreateGlobalPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
Which of the following privileges should the tester use to achieve the goal?
- A . SeImpersonatePrivilege
- B . SeCreateGlobalPrivilege
- C . SeChangeNotifyPrivilege
- D . SeManageVolumePrivilege
Correct Answer: A
A
Explanation:
The SeImpersonatePrivilege allows a process to impersonate another user’s security context, which is commonly used in token manipulation attacks for privilege escalation.
Option A (SeImpersonatePrivilege) ✅ : Correct.
Used in Juicy Potato or Rogue Potato attacks to escalate privileges.
Option B (SeCreateGlobalPrivilege) ❌ : Allows creating global objects, but not privilege escalation.
Option C (SeChangeNotifyPrivilege) ❌ : Enables traverse directory access, not privilege escalation.
Option D (SeManageVolumePrivilege) ❌ : Used for disk management, not privilege escalation. Reference: CompTIA PenTest+ PT0-003 Official Guide C Windows Privilege Escalation via Token Impersonation
A
Explanation:
The SeImpersonatePrivilege allows a process to impersonate another user’s security context, which is commonly used in token manipulation attacks for privilege escalation.
Option A (SeImpersonatePrivilege) ✅ : Correct.
Used in Juicy Potato or Rogue Potato attacks to escalate privileges.
Option B (SeCreateGlobalPrivilege) ❌ : Allows creating global objects, but not privilege escalation.
Option C (SeChangeNotifyPrivilege) ❌ : Enables traverse directory access, not privilege escalation.
Option D (SeManageVolumePrivilege) ❌ : Used for disk management, not privilege escalation. Reference: CompTIA PenTest+ PT0-003 Official Guide C Windows Privilege Escalation via Token Impersonation
Question #50
Which of the following explains the reason a tester would opt to use DREAD over PTES during the planning phase of a penetration test?
- A . The tester is conducting a web application test.
- B . The tester is assessing a mobile application.
- C . The tester is evaluating a thick client application.
- D . The tester is creating a threat model.
Correct Answer: D
D
Explanation:
DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) is a threat modeling framework used to assess and prioritize risks.
Option A (Web application test) ❌ : While DREAD can be used in web security, PTES (Penetration Testing Execution Standard) is a better framework for conducting pentests.
Option B (Mobile application test) ❌ : PTES provides guidelines for mobile security testing, whereas DREAD is for threat modeling.
Option C (Thick client application) ❌ : Thick clients require specific testing methodologies, not DREAD.
Option D (Creating a threat model) ✅ : Correct.
DREAD is designed for risk assessment and prioritization.
PTES focuses on penetration testing execution, not threat modeling.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Threat Modeling with DREAD vs. PTES
D
Explanation:
DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) is a threat modeling framework used to assess and prioritize risks.
Option A (Web application test) ❌ : While DREAD can be used in web security, PTES (Penetration Testing Execution Standard) is a better framework for conducting pentests.
Option B (Mobile application test) ❌ : PTES provides guidelines for mobile security testing, whereas DREAD is for threat modeling.
Option C (Thick client application) ❌ : Thick clients require specific testing methodologies, not DREAD.
Option D (Creating a threat model) ✅ : Correct.
DREAD is designed for risk assessment and prioritization.
PTES focuses on penetration testing execution, not threat modeling.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Threat Modeling with DREAD vs. PTES