CompTIA PT0-003 Exam Practice Test Instant Access

Question 1

[Attacks and Exploits]

A penetration tester aims to exploit a vulnerability in a wireless network that lacks proper encryption. The lack of proper encryption allows malicious content to infiltrate the network. Which of the following techniques would most likely achieve the goal?

APacket injection

BBluejacking

CBeacon flooding

DSignal jamming

Answer : A

If a wireless network lacks proper encryption, attackers can inject malicious packets into the traffic stream.

Packet injection (Option A):

Attackers forge and transmit fake packets to manipulate network behavior.

Common in WEP/WPA attacks to force IV collisions or spoof DHCP responses.

Incorrect options:

Option B (Bluejacking): Sends spam messages via Bluetooth, not for network exploitation.

Option C (Beacon flooding): Overloads wireless access points, not an attack on encryption.

Option D (Signal jamming): Disrupts connectivity but does not inject packets.

Question 2

[Attacks and Exploits]

Which of the following tasks would ensure the key outputs from a penetration test are not lost as part of the cleanup and restoration activities?

APreserving artifacts

BReverting configuration changes

CKeeping chain of custody

DExporting credential data

Answer : A

Preserving artifacts ensures that key outputs from the penetration test, such as logs, screenshots, captured data, and any generated reports, are retained for analysis, reporting, and future reference.

Importance of Preserving Artifacts:

Documentation: Provides evidence of the test activities and findings.

Verification: Allows for verification and validation of the test results.

Reporting: Ensures that all critical data is available for the final report.

Types of Artifacts:

Logs: Capture details of the tools used, commands executed, and their outputs.

Screenshots: Visual evidence of the steps taken and findings.

Captured Data: Includes network captures, extracted credentials, and other sensitive information.

Reports: Interim and final reports summarizing the findings and recommendations.

Best Practices:

Secure Storage: Ensure artifacts are stored securely to prevent unauthorized access.

Backups: Create backups of critical artifacts to avoid data loss.

Documentation: Maintain detailed documentation of all artifacts for future reference.

Reference from Pentesting Literature:

Preserving artifacts is a standard practice emphasized in penetration testing methodologies to ensure comprehensive documentation and reporting of the test.

HTB write-ups often include references to preserved artifacts to support the findings and conclusions.

Step-by-Step ExplanationReference:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

Question 3

[Attacks and Exploits]

During a penetration testing exercise, a team decides to use a watering hole strategy. Which of the following is the most effective approach for executing this attack?

ACompromise a website frequently visited by the organization's employees.

BLaunch a DDoS attack on the organization's website.

CCreate fake social media profiles to befriend employees.

DSend phishing emails to the organization's employees.

Answer : A

Watering Hole Attack

A watering hole attack involves compromising a website that the target frequently visits.

The attacker injects malicious code into the site, which then exploits users who access it.

Why Not Other Options?

B: DDoS attacks disrupt services but do not align with the watering hole strategy.

C: Social engineering may be effective but is not a watering hole attack.

D: Phishing is unrelated to compromising trusted websites.

CompTIA Pentest+ Reference:

Domain 3.0 (Attacks and Exploits)

Question 4

A company hires a penetration tester to perform an external attack surface review as part of a security engagement. The company informs the tester that the main company domain to investigate is comptia.org. Which of the following should the tester do to accomplish the assessment objective?

APerform information-gathering techniques to review internet-facing assets for the company.

BPerform a phishing assessment to try to gain access to more resources and users' computers.

CPerform a physical security review to identify vulnerabilities that could affect the company.

DPerform a vulnerability assessment over the main domain address provided by the client.

Answer : A

Comprehensive and Detailed

An external attack surface review focuses on identifying publicly accessible assets that an attacker could exploit. The first step in this process is information gathering, which involves enumerating domains, subdomains, public IPs, DNS records, and other internet-facing resources. This is done using passive reconnaissance tools such as Whois, Shodan, Google Dorking, and OSINT techniques.

Option A is correct because it aligns with the assessment goal---finding public-facing systems and their vulnerabilities before an attacker does.

Option B (phishing assessment) is incorrect because it involves social engineering, which is not part of an external attack surface review.

Option C (physical security review) is incorrect as it pertains to physical penetration testing, not an external attack analysis.

Option D (vulnerability assessment) is incorrect because a vulnerability assessment is a later step after reconnaissance. The first step is identifying assets through information gathering.

Question 5

A penetration tester is performing a cloud-based penetration test against a company. Stakeholders have indicated the priority is to see if the tester can get into privileged systems that are not directly accessible from the internet. Given the following scanner information:

Server-side request forgery (SSRF) vulnerability in test.comptia.org

Reflected cross-site scripting (XSS) vulnerability in test2.comptia.org

Publicly accessible storage system named static_comptia_assets

SSH port 22 open to the internet on test3.comptia.org

Open redirect vulnerability in test4.comptia.org

Which of the following attack paths should the tester prioritize first?

ASynchronize all the information from the public bucket and scan it with Trufflehog.

BRun Pacu to enumerate permissions and roles within the cloud-based systems.

CPerform a full dictionary brute-force attack against the open SSH service using Hydra.

DUse the reflected cross-site scripting attack within a phishing campaign to attack administrators.

ELeverage the SSRF to gain access to credentials from the metadata service.

Answer : E

Leverage SSRF for Metadata Access:

Server-side request forgery (SSRF) vulnerabilities allow attackers to force a server to send requests to internal resources. In cloud environments, SSRF can often be used to access the metadata service (e.g., AWS EC2 metadata) to retrieve credentials for cloud services.

Once credentials are obtained, they can be used to access privileged systems that are not directly accessible from the internet.

Why Not Other Options?

A (Public bucket): Analyzing the bucket for sensitive data is useful but does not directly lead to privileged system access.

B (Pacu): Pacu is used for AWS exploitation but requires credentials or misconfigured roles. SSRF can provide the credentials needed to run Pacu effectively.

C (SSH brute force): Brute-forcing SSH is noisy and inefficient. Privileged systems are likely better protected than SSH open to the internet.

D (Phishing via XSS): This is a longer-term attack and less direct compared to leveraging SSRF.

CompTIA Pentest+ Reference:

Domain 3.0 (Attacks and Exploits)

SSRF Exploitation and Cloud Metadata Access Techniques

Question 6

[Attacks and Exploits]

A penetration tester needs to confirm the version number of a client's web application server. Which of the following techniques should the penetration tester use?

ASSL certificate inspection

BURL spidering

CBanner grabbing

DDirectory brute forcing

Answer : C

Banner grabbing is a technique used to obtain information about a network service, including its version number, by connecting to the service and reading the response.

Understanding Banner Grabbing:

Purpose: Identify the software version running on a service by reading the initial response banner.

Methods: Can be performed manually using tools like Telnet or automatically using tools like Nmap.

Manual Banner Grabbing:

Step-by-Step Explanationtelnet target_ip 80

Netcat: Another tool for banner grabbing.

nc target_ip 80

Automated Banner Grabbing:

Nmap: Use Nmap's version detection feature to grab banners.

nmap -sV target_ip

Benefits:

Information Disclosure: Quickly identify the version and sometimes configuration details of the service.

Targeted Exploits: Helps in selecting appropriate exploits based on the identified version.

Reference from Pentesting Literature:

Banner grabbing is a fundamental technique in reconnaissance, discussed in various penetration testing guides.

HTB write-ups often include banner grabbing as a step in identifying the version of services.

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

Question 7

[Tools and Code Analysis]

Which of the following techniques is the best way to avoid detection by data loss prevention tools?

AEncoding

BCompression

CEncryption

DObfuscation

Answer : A

Encoding to Evade DLP:

Encoding (e.g., Base64) transforms data into a format that may bypass data loss prevention (DLP) tools.

DLP solutions often look for specific patterns (e.g., sensitive keywords, file headers) and may not recognize encoded data.

Why Not Other Options?

B (Compression): Compression reduces file size but does not typically bypass DLP detection mechanisms.

C (Encryption): Encrypted data is detectable by DLP tools, though its contents may not be readable.

D (Obfuscation): While obfuscation hides intent, encoding is more effective for bypassing automated detection.

CompTIA Pentest+ Reference:

Domain 3.0 (Attacks and Exploits)

CompTIA PT0-003 CompTIA PenTest+ Exam Practice Test