Practice Free PT0-003 Exam Online Questions
Question #81
Which of the following is a term used to describe a situation in which a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee?
- A . Badge cloning
- B . Shoulder surfing
- C . Tailgating
- D . Site survey
Correct Answer: C
C
Explanation:
Tailgating is the term used to describe a situation where a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee.
Tailgating:
Definition: Tailgating occurs when an unauthorized person follows an authorized person into a restricted area without the latter’s consent or knowledge. The authorized person typically opens a door or checkpoint, and the unauthorized person slips in behind them.
Example: An attacker waits near the entrance of a building and enters right after an employee, bypassing security measures.
Physical Security:
Importance: Physical security is a crucial aspect of overall security posture. Tailgating exploits human factors and weaknesses in physical security controls.
Prevention: Security measures such as turnstiles, mantraps, and security personnel can help prevent tailgating.
Pentest
Reference: Physical Penetration Testing: Tailgating is a common technique used in physical penetration tests to assess the effectiveness of an organization’s physical security controls.
Social Engineering: Tailgating often involves social engineering, where the attacker relies on the politeness or unawareness of the employee to gain unauthorized access.
By understanding and using tailgating, penetration testers can evaluate the effectiveness of an organization’s physical security measures and identify potential vulnerabilities that could be exploited by malicious actors.
C
Explanation:
Tailgating is the term used to describe a situation where a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee.
Tailgating:
Definition: Tailgating occurs when an unauthorized person follows an authorized person into a restricted area without the latter’s consent or knowledge. The authorized person typically opens a door or checkpoint, and the unauthorized person slips in behind them.
Example: An attacker waits near the entrance of a building and enters right after an employee, bypassing security measures.
Physical Security:
Importance: Physical security is a crucial aspect of overall security posture. Tailgating exploits human factors and weaknesses in physical security controls.
Prevention: Security measures such as turnstiles, mantraps, and security personnel can help prevent tailgating.
Pentest
Reference: Physical Penetration Testing: Tailgating is a common technique used in physical penetration tests to assess the effectiveness of an organization’s physical security controls.
Social Engineering: Tailgating often involves social engineering, where the attacker relies on the politeness or unawareness of the employee to gain unauthorized access.
By understanding and using tailgating, penetration testers can evaluate the effectiveness of an organization’s physical security measures and identify potential vulnerabilities that could be exploited by malicious actors.
Question #82
A penetration tester must identify hosts without alerting an IPS. The tester has access to a local network segment.
Which of the following is the most logical action?
- A . Performing reverse DNS lookups
- B . Utilizing Nmap using a ping sweep
- C . Conducting LLMNR poisoning using Responder
- D . Viewing the local routing table on the host
Correct Answer: A
A
Explanation:
When the objective is to identify hosts while minimizing the chance of triggering an IPS, PenTest+ prioritizes low-noise reconnaissance techniques over active probing. A reverse DNS lookup queries DNS PTR records for IP addresses and can reveal hostnames for systems that are already registered in internal DNS. This often generates traffic that appears similar to normal enterprise name-resolution activity and is typically less suspicious than broad ICMP echo sweeps or repeated port probes.
An Nmap ping sweep is an overt discovery action that sends ICMP (and sometimes ARP/other probes) across a range and is more likely to be detected or rate-limited by monitoring and IPS controls. LLMNR poisoning with Responder is an active interception/credential capture technique that can be highly detectable and is not simply “host identification.” Viewing the local routing table is very quiet, but it primarily reveals networks and routes, not a list of live hosts on the segment. Therefore, reverse DNS lookups are the most logical balance of effectiveness and stealth for identifying hosts.
A
Explanation:
When the objective is to identify hosts while minimizing the chance of triggering an IPS, PenTest+ prioritizes low-noise reconnaissance techniques over active probing. A reverse DNS lookup queries DNS PTR records for IP addresses and can reveal hostnames for systems that are already registered in internal DNS. This often generates traffic that appears similar to normal enterprise name-resolution activity and is typically less suspicious than broad ICMP echo sweeps or repeated port probes.
An Nmap ping sweep is an overt discovery action that sends ICMP (and sometimes ARP/other probes) across a range and is more likely to be detected or rate-limited by monitoring and IPS controls. LLMNR poisoning with Responder is an active interception/credential capture technique that can be highly detectable and is not simply “host identification.” Viewing the local routing table is very quiet, but it primarily reveals networks and routes, not a list of live hosts on the segment. Therefore, reverse DNS lookups are the most logical balance of effectiveness and stealth for identifying hosts.
Question #83
Which of the following explains the reason a tester would opt to use DREAD over PTES during the planning phase of a penetration test?
- A . The tester is conducting a web application test.
- B . The tester is assessing a mobile application.
- C . The tester is evaluating a thick client application.
- D . The tester is creating a threat model.
Correct Answer: D
D
Explanation:
DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) is a threat modeling
framework used to assess and prioritize risks.
Option A (Web application test) ❌ : While DREAD can be used in web security, PTES (Penetration Testing Execution Standard) is a better framework for conducting pentests.
Option B (Mobile application test) ❌ : PTES provides guidelines for mobile security testing, whereas DREAD is for threat modeling.
Option C (Thick client application) ❌ : Thick clients require specific testing methodologies, not DREAD.
Option D (Creating a threat model) ✅ : Correct.
DREAD is designed for risk assessment and prioritization.
PTES focuses on penetration testing execution, not threat modeling.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Threat Modeling with DREAD vs. PTES
D
Explanation:
DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) is a threat modeling
framework used to assess and prioritize risks.
Option A (Web application test) ❌ : While DREAD can be used in web security, PTES (Penetration Testing Execution Standard) is a better framework for conducting pentests.
Option B (Mobile application test) ❌ : PTES provides guidelines for mobile security testing, whereas DREAD is for threat modeling.
Option C (Thick client application) ❌ : Thick clients require specific testing methodologies, not DREAD.
Option D (Creating a threat model) ✅ : Correct.
DREAD is designed for risk assessment and prioritization.
PTES focuses on penetration testing execution, not threat modeling.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Threat Modeling with DREAD vs. PTES
Question #84
During an assessment, a penetration tester gains a low-privilege shell and then runs the following command:
findstr /SIM /C:"pass" *.txt *.cfg *.xml
Which of the following is the penetration tester trying to enumerate?
- A . Configuration files
- B . Permissions
- C . Virtual hosts
- D . Secrets
Correct Answer: D
D
Explanation:
The command searches for the keyword "pass" (passwords) across all .txt, .cfg, and .xml files, which are common locations for stored credentials.
Option A (Configuration files) ❌ : While .cfg files may contain settings, the search is specifically for secrets (passwords).
Option B (Permissions) ❌ : The command does not list permissions.
Option C (Virtual hosts) ❌ : This does not relate to virtual host enumeration.
Option D (Secrets) ✅ : Correct. The tester is looking for stored passwords or sensitive data.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Privilege Escalation Techniques
D
Explanation:
The command searches for the keyword "pass" (passwords) across all .txt, .cfg, and .xml files, which are common locations for stored credentials.
Option A (Configuration files) ❌ : While .cfg files may contain settings, the search is specifically for secrets (passwords).
Option B (Permissions) ❌ : The command does not list permissions.
Option C (Virtual hosts) ❌ : This does not relate to virtual host enumeration.
Option D (Secrets) ✅ : Correct. The tester is looking for stored passwords or sensitive data.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Privilege Escalation Techniques
Question #85
During an assessment, a penetration tester exploits an SQLi vulnerability.
Which of the following commands would allow the penetration tester to enumerate password hashes?
- A . sqlmap -u www.example.com/?id=1 –search -T user
- B . sqlmap -u www.example.com/?id=1 –dump -D accounts -T users -C cred
- C . sqlmap -u www.example.com/?id=1 –tables -D accounts
- D . sqlmap -u www.example.com/?id=1 –schema –current-user –current-db
Correct Answer: B
B
Explanation:
To enumerate password hashes using an SQL injection vulnerability, the penetration tester needs to extract specific columns from the database that typically contain password hashes. The –dump command in sqlmap is used to dump the contents of the specified database table.
Here ’ s a breakdown of the options:
Option A: sqlmap -u www.example.com/?id=1 –search -T user
The –search option is used to search for columns and not to dump data. This would not enumerate password hashes.
Option B: sqlmap -u www.example.com/?id=1 –dump -D accounts -T users -C cred
This command uses –dump to extract data from the specified database accounts, table users, and column cred. This is the correct option to enumerate password hashes, assuming cred is the column containing the password hashes.
Option C: sqlmap -u www.example.com/?id=1 –tables -D accounts
The –tables option lists all tables in the specified database but does not extract data.
Option D: sqlmap -u www.example.com/?id=1 –schema –current-user –current-db
The –schema option provides the database schema information, and –current-user and –current-db provide information about the current user and database but do not dump data.
Reference from Pentest:
Writeup HTB: Demonstrates using sqlmap to dump data from specific tables to retrieve sensitive information, including password hashes.
Luke HTB: Shows the process of exploiting SQL injection to extract user credentials and hashes by dumping specific columns from the database.
B
Explanation:
To enumerate password hashes using an SQL injection vulnerability, the penetration tester needs to extract specific columns from the database that typically contain password hashes. The –dump command in sqlmap is used to dump the contents of the specified database table.
Here ’ s a breakdown of the options:
Option A: sqlmap -u www.example.com/?id=1 –search -T user
The –search option is used to search for columns and not to dump data. This would not enumerate password hashes.
Option B: sqlmap -u www.example.com/?id=1 –dump -D accounts -T users -C cred
This command uses –dump to extract data from the specified database accounts, table users, and column cred. This is the correct option to enumerate password hashes, assuming cred is the column containing the password hashes.
Option C: sqlmap -u www.example.com/?id=1 –tables -D accounts
The –tables option lists all tables in the specified database but does not extract data.
Option D: sqlmap -u www.example.com/?id=1 –schema –current-user –current-db
The –schema option provides the database schema information, and –current-user and –current-db provide information about the current user and database but do not dump data.
Reference from Pentest:
Writeup HTB: Demonstrates using sqlmap to dump data from specific tables to retrieve sensitive information, including password hashes.
Luke HTB: Shows the process of exploiting SQL injection to extract user credentials and hashes by dumping specific columns from the database.
Question #86
Which of the following components of a penetration test report most directly contributes to prioritizing remediations?
- A . Proof of concept
- B . Risk scoring
- C . Attack narrative
- D . Executive summary
Correct Answer: B
B
Explanation:
Risk scoring is the report element that most directly enables an organization to prioritize remediation work because it translates technical findings into an ordered view of business risk. In PenTest+ reporting guidance, testers are expected to communicate not only what is vulnerable but also how severe the issue is and how likely it is to be exploited, often incorporating factors such as exploitability, impact, exposure, and the presence of compensating controls. This produces a defensible ranking that helps stakeholders decide what to fix first when time and resources are limited.
Proof of concept supports validation by demonstrating that exploitation is possible, but it does not inherently provide comparative urgency across multiple findings. An attack narrative explains the path the tester used to achieve objectives (useful for understanding chaining and scope impact), but it is typically descriptive rather than a prioritization mechanism. The executive summary is aimed at leadership-level communication and overall posture, yet it usually depends on underlying risk ratings to justify what should be addressed first. Therefore, risk scoring most directly drives remediation prioritization.
B
Explanation:
Risk scoring is the report element that most directly enables an organization to prioritize remediation work because it translates technical findings into an ordered view of business risk. In PenTest+ reporting guidance, testers are expected to communicate not only what is vulnerable but also how severe the issue is and how likely it is to be exploited, often incorporating factors such as exploitability, impact, exposure, and the presence of compensating controls. This produces a defensible ranking that helps stakeholders decide what to fix first when time and resources are limited.
Proof of concept supports validation by demonstrating that exploitation is possible, but it does not inherently provide comparative urgency across multiple findings. An attack narrative explains the path the tester used to achieve objectives (useful for understanding chaining and scope impact), but it is typically descriptive rather than a prioritization mechanism. The executive summary is aimed at leadership-level communication and overall posture, yet it usually depends on underlying risk ratings to justify what should be addressed first. Therefore, risk scoring most directly drives remediation prioritization.
Question #87
A penetration tester finished a security scan and uncovered numerous vulnerabilities on several hosts.
Based on the targets’ EPSS and CVSS scores, which of the following targets is the most likely to get attacked?
- A . Target 1: EPSS Score = 0.6 and CVSS Score = 4
- B . Target 2: EPSS Score = 0.3 and CVSS Score = 2
- C . Target 3: EPSS Score = 0.6 and CVSS Score = 1
- D . Target 4: EPSS Score = 0.4 and CVSS Score = 4.5
Correct Answer: A
A
Explanation:
The correct answer is A. Target 1: EPSS Score = 0.6 and CVSS Score = 4
EPSS, the Exploit Prediction Scoring System, estimates the likelihood that a vulnerability will be exploited in the wild. CVSS, the Common Vulnerability Scoring System, measures the severity or technical impact of a vulnerability.
The question asks which target is most likely to get attacked, so the EPSS score is the most important factor. The highest EPSS score shown is 0.6, which appears in both Target 1 and Target 3.
Between those two, Target 1 has the higher CVSS score:
Target 1: EPSS 0.6, CVSS 4
Target 3: EPSS 0.6, CVSS 1
Since both have the same exploitation likelihood, the vulnerability with the higher impact/severity is the better choice. Therefore, Target 1 is the most likely and more meaningful attack target.
B is incorrect because its EPSS score is lower at 0.3.
C is incorrect because although its EPSS score is tied for highest, its CVSS score is much lower than Target 1.
D is incorrect because it has the highest CVSS score, but its EPSS score is lower than Target 1 and Target 3. A higher CVSS score means greater severity, not necessarily a higher likelihood of exploitation.
In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically vulnerability prioritization using exploit likelihood and severity metrics.
A
Explanation:
The correct answer is A. Target 1: EPSS Score = 0.6 and CVSS Score = 4
EPSS, the Exploit Prediction Scoring System, estimates the likelihood that a vulnerability will be exploited in the wild. CVSS, the Common Vulnerability Scoring System, measures the severity or technical impact of a vulnerability.
The question asks which target is most likely to get attacked, so the EPSS score is the most important factor. The highest EPSS score shown is 0.6, which appears in both Target 1 and Target 3.
Between those two, Target 1 has the higher CVSS score:
Target 1: EPSS 0.6, CVSS 4
Target 3: EPSS 0.6, CVSS 1
Since both have the same exploitation likelihood, the vulnerability with the higher impact/severity is the better choice. Therefore, Target 1 is the most likely and more meaningful attack target.
B is incorrect because its EPSS score is lower at 0.3.
C is incorrect because although its EPSS score is tied for highest, its CVSS score is much lower than Target 1.
D is incorrect because it has the highest CVSS score, but its EPSS score is lower than Target 1 and Target 3. A higher CVSS score means greater severity, not necessarily a higher likelihood of exploitation.
In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically vulnerability prioritization using exploit likelihood and severity metrics.
Question #88
SIMULATION
Using the output, identify potential attack vectors that should be further investigated.
Correct Answer: 1: Null session enumeration Weak SMB file permissions Fragmentation attack
2: nmap
-sV
-p 1-1023
2: nmap
-sV
-p 1-1023
Question #89
A penetration tester executes multiple enumeration commands to find a path to escalate privileges.
Given the following command:
find / -user root -perm -4000 -exec ls -ldb {} ; 2>/dev/null
Which of the following is the penetration tester attempting to enumerate?
- A . Attack path mapping
- B . API keys
- C . Passwords
- D . Permission
Correct Answer: D
D
Explanation:
The command find / -user root -perm -4000 -exec ls -ldb {} ; 2>/dev/null is used to find files with the SUID bit set. SUID (Set User ID) permissions allow a file to be executed with the permissions of the file owner (root), rather than the permissions of the user running the file.
Understanding the Command:
find /: Search the entire filesystem.
-user root: Limit the search to files owned by the root user.
-perm -4000: Look for files with the SUID bit set.
-exec ls -ldb {} ;: Execute ls -ldb on each found file to list it in detail.
2>/dev/null: Redirect error messages to /dev/null to avoid cluttering the output.
Purpose:
Enumerating SUID Files: The command is used to identify files with elevated privileges that might be exploited for privilege escalation.
Security Risks: SUID files can pose security risks if they are vulnerable, as they can be used to execute code with root privileges.
Why Enumerate Permissions:
Identifying SUID files is a crucial step in privilege escalation as it reveals potential attack vectors that can be exploited to gain root access.
Reference from Pentesting Literature:
Enumeration of SUID files is a common practice in penetration testing, as discussed in various guides and write-ups.
HTB write-ups often detail how finding and exploiting SUID binaries can lead to root access on a target system.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
D
Explanation:
The command find / -user root -perm -4000 -exec ls -ldb {} ; 2>/dev/null is used to find files with the SUID bit set. SUID (Set User ID) permissions allow a file to be executed with the permissions of the file owner (root), rather than the permissions of the user running the file.
Understanding the Command:
find /: Search the entire filesystem.
-user root: Limit the search to files owned by the root user.
-perm -4000: Look for files with the SUID bit set.
-exec ls -ldb {} ;: Execute ls -ldb on each found file to list it in detail.
2>/dev/null: Redirect error messages to /dev/null to avoid cluttering the output.
Purpose:
Enumerating SUID Files: The command is used to identify files with elevated privileges that might be exploited for privilege escalation.
Security Risks: SUID files can pose security risks if they are vulnerable, as they can be used to execute code with root privileges.
Why Enumerate Permissions:
Identifying SUID files is a crucial step in privilege escalation as it reveals potential attack vectors that can be exploited to gain root access.
Reference from Pentesting Literature:
Enumeration of SUID files is a common practice in penetration testing, as discussed in various guides and write-ups.
HTB write-ups often detail how finding and exploiting SUID binaries can lead to root access on a target system.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #90
A penetration tester gains access to a host with many applications that load at startup and run as
SYSTEM.
The penetration tester runs a command and receives the following output:
User accounts for COMPTIA-Host
CompTIA User DefaultAccount Guest
CompTIA Admin CompTIA Accountant
The command completed successfully.
Which of the following attacks will most likely allow the penetration tester to escalate privileges?
- A . Credential dumping
- B . Local file inclusion
- C . Unquoted service path injection
- D . Process hijacking
Correct Answer: C
C
Explanation:
The scenario highlights a Windows host where “many applications load at startup and run as SYSTEM,” which points directly to Windows services and auto-start components executing with high privileges. In PenTest+ privilege escalation techniques, unquoted service path injection is a common and effective method when a service runs as SYSTEM and its executable path contains spaces but is not enclosed in quotes. Windows may parse the path incorrectly and attempt to execute a malicious binary placed earlier in the interpreted path (for example, C:Program.exe), as long as the attacker has write permissions to a directory in that search order. This can result in the attacker’s payload being executed as SYSTEM on service start/restart, achieving privilege escalation reliably and with clear evidentiary output.
Credential dumping may help lateral movement, but it does not inherently escalate privileges if the tester already lacks higher-privileged credentials. Local file inclusion is a web vulnerability and not applicable to host startup services. Process hijacking can work in some cases, but unquoted service paths are a specifically documented, high-probability Windows misconfiguration when many SYSTEM services exist.
Bottom of Form
C
Explanation:
The scenario highlights a Windows host where “many applications load at startup and run as SYSTEM,” which points directly to Windows services and auto-start components executing with high privileges. In PenTest+ privilege escalation techniques, unquoted service path injection is a common and effective method when a service runs as SYSTEM and its executable path contains spaces but is not enclosed in quotes. Windows may parse the path incorrectly and attempt to execute a malicious binary placed earlier in the interpreted path (for example, C:Program.exe), as long as the attacker has write permissions to a directory in that search order. This can result in the attacker’s payload being executed as SYSTEM on service start/restart, achieving privilege escalation reliably and with clear evidentiary output.
Credential dumping may help lateral movement, but it does not inherently escalate privileges if the tester already lacks higher-privileged credentials. Local file inclusion is a web vulnerability and not applicable to host startup services. Process hijacking can work in some cases, but unquoted service paths are a specifically documented, high-probability Windows misconfiguration when many SYSTEM services exist.
Bottom of Form