CompTIA PT0-002 Exam Practice Test Instant Access

Question 1

During a penetration test of a server application, a security consultant found that the application randomly crashed or remained stable after opening several simultaneous connections to the application and always submitting the same packets of dat

a. Which of the following is the best sequence of steps the tester should use to understand and exploit the vulnerability?

AAttach a remote profiler to the server application. Establish a random number of connections to the server application. Send fixed packets of data simultaneously using those connections.

BAttach a remote debugger to the server application. Establish a large number of connections to the server application. Send fixed packets of data simultaneously using those connections.

CAttach a local disassembler to the server application. Establish a single connection to the server application. Send fixed packets of data simultaneously using that connection.

DAttach a remote disassembler to the server application. Establish a small number of connections to the server application. Send fixed packets of data simultaneously using those connections.

Answer : B

To understand and exploit the vulnerability causing the server application to crash or remain stable after opening several simultaneous connections, the best approach is to attach a remote debugger to the application. This allows the penetration tester to monitor the application's behavior in real-time without affecting the stability of the testing environment. Establishing a large number of connections to the server and sending fixed packets of data simultaneously can help to reproduce the issue consistently, which is crucial for identifying the cause of the crashes. Analyzing the application's response and debugging data will provide insights into potential buffer overflow, race conditions, or other vulnerabilities.

Effective Debugging Techniques

Fuzz Testing and Debugging

Question 2

A penetration tester exploits a vulnerable service to gain a shell on a target server. The tester receives the following:

Directory of C:\Users\Guest 05/13/2022 09:23 PM mimikatz.exe 05/18/2022 09:24 PM mimidrv.sys 05/18/2022 09:24 PM mimilib.dll

Which of the following best describes these findings?

AIndicators of prior compromise

BPassword encryption tools

CFalse positives

DDe-escalation attempts

Answer : A

The presence of files such as mimikatz.exe, mimidrv.sys, and mimilib.dll on a target server indicates prior compromise. Mimikatz is a well-known post-exploitation tool used for extracting plaintext passwords, hash dumps, PIN codes, and Kerberos tickets from memory. These files suggest that an attacker has previously gained access to the system and used Mimikatz for credential harvesting. This is a strong indicator of a prior security breach rather than tools used for password encryption or false positives.

Mimikatz Usage and Detection

Understanding Indicators of Compromise

Question 3

A penetration tester is conducting an assessment on a web application. Which of the following active reconnaissance techniques would be best for the tester to use to gather additional information about the application?

AUsing cURL with the verbose option

BCrawling UR Is using an interception proxy

CUsing Scapy for crafted requests

DCrawling URIs using a web browser

Answer : B

Crawling URIs using an interception proxy is the best active reconnaissance technique for gathering additional information about a web application. An interception proxy, such as Burp Suite or OWASP ZAP, allows the penetration tester to see and manipulate the requests and responses between the client and the server, providing detailed insights into the application's behavior, structure, and vulnerabilities. This technique is more comprehensive and controlled compared to using cURL or a web browser.

OWASP Testing Guide: Web Application Security Testing

Burp Suite Documentation

OWASP ZAP User Guide

Question 4

An organization is using Android mobile devices but does not use MDM services. Which of the following describes an existing risk present in this scenario?

ADevice log facility does not record actions.

BEnd users have root access by default.

CUnsigned applications can be installed.

DPush notification services require internet.

Answer : C

The risk present in an organization using Android mobile devices without Mobile Device Management (MDM) services is that unsigned applications can be installed. Without MDM, there are fewer controls over the installation of applications, which increases the risk of installing malicious or unauthorized applications. MDM services typically provide a way to enforce application signing policies, preventing the installation of unsigned apps.

OWASP Mobile Security Project

NIST Mobile Device Management Guide

Question 5

A vulnerability assessor is looking to establish a baseline of all IPv4 network traffic on the local VLAN without a local IP address. Which of the following Nmap command sequences would best provide this information?

Asudo nmap ---script=bro* -e ethO

Bsudo nmap -sF ---script=* -e ethO

Csudo nmap -sV -sT -p 0-65535 -e ethO

Dsudo nmap -sV -p 0-65535 0.0.0.0/0

Answer : A

The command sudo nmap ---script=bro* -e ethO is the best choice for establishing a baseline of all IPv4 network traffic on the local VLAN without a local IP address. The ---script=bro* specifies the use of scripts that can capture and analyze traffic, and -e ethO specifies the network interface to be used. This allows the vulnerability assessor to capture and analyze network traffic at a low level, which is essential for baseline analysis.

Nmap Scripting Engine (NSE)

Nmap Network Interface Specification

Question 6

A penetration tester is performing an assessment of an application that allows users to upload documents to a cloud-based file server for easy access anywhere in the world. Which of the following would most likely allow a tester to access unintentionally exposed documents?

ADirectory traversal attack

BCross-site request forgery

CCross-site scripting attack

DSession attack

Answer : A

A directory traversal attack, also known as a path traversal attack, is a method used to exploit insufficient security validation or sanitization of user-supplied input file names. The goal of this attack is to access directories and files that are stored outside the web root folder. By manipulating variables that reference files with ''../'' sequences and its variations, attackers can access restricted directories and execute commands outside of the web server's root directory.

In the context of an application that allows users to upload documents to a cloud-based file server, an attacker might exploit a directory traversal vulnerability to navigate to directories that contain sensitive documents. If the file upload functionality is not properly secured, an attacker could upload a file with a payload designed to perform directory traversal. This could allow access to confidential files that are otherwise protected by the application's access control mechanisms.

OWASP Directory Traversal Cheat Sheet: OWASP Directory Traversal

Practical example from HTB Writeups like Forge and Anubis which demonstrate similar enumeration techniques leading to sensitive file disclosures.

Question 7

After successfully compromising a remote host, a security consultant notices an endpoint protection software is running on the host. Which of the following commands would be

best for the consultant to use to terminate the protection software and its child processes?

Ataskkill /PID <PID> /T /F

Btaskkill /PID <PID> /IM /F

Ctaskkill /PID <PID> /S /U

Dtaskkill /PID <PID> /F /P

Answer : A

The taskkill command is used in Windows to terminate tasks by process ID (PID) or image name (IM). The correct command to terminate a specified process and any child processes which were started by it uses the /T flag, and the /F flag is used to force terminate the process. Therefore, taskkill /PID <PID> /T /F is the correct syntax to terminate the endpoint protection software and its child processes.

The other options listed are either incorrect syntax or do not accomplish the task of terminating the child processes:

* /IM specifies the image name but is not necessary when using /PID.

* /S specifies the remote system to connect to and /U specifies the user context under which the command should execute, neither of which are relevant to terminating processes.

* There is no /P flag in the taskkill command.

CompTIA PT0-002 CompTIA PenTest+ Certification Exam Practice Test