CompTIA PT0-003 Exam Practice Test Instant Access

Question 1

A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool:

PORT STATE SERVICE

22/tcp open ssh

25/tcp filtered smtp

111/tcp open rpcbind

2049/tcp open nfs

Based on the output, which of the following services provides the best target for launching an attack?

ADatabase

BRemote access

CEmail

DFile sharing
Based on the Nmap scan results, the services identified on the target server are as follows:
22/tcp open ssh:
Service: SSH (Secure Shell)
Function: Provides encrypted remote access.
Attack Surface: Brute force attacks or exploiting vulnerabilities in outdated SSH implementations. However, it is generally considered secure if properly configured.
25/tcp filtered smtp:
Service: SMTP (Simple Mail Transfer Protocol)
Function: Email transmission.
Attack Surface: Potential for email-related attacks such as spoofing, but the port is filtered, indicating that access may be restricted or protected by a firewall.
111/tcp open rpcbind:
Service: RPCBind (Remote Procedure Call Bind)
Function: Helps in mapping RPC program numbers to network addresses.
Attack Surface: Can be exploited in specific configurations, but generally not a primary target compared to others.
2049/tcp open nfs:
Service: NFS (Network File System)
Function: Allows for file sharing over a network.
Attack Surface: NFS can be a significant target for attacks due to potential misconfigurations that can allow unauthorized access to file shares or exploitation of vulnerabilities in NFS services.
Conclusion: The NFS service (2049/tcp) provides the best target for launching an attack. File sharing services like NFS often contain sensitive data and can be vulnerable to misconfigurations that allow unauthorized access or privilege escalation.

Answer : D

Question 2

A penetration tester is getting ready to conduct a vulnerability scan as part of the testing process. The tester will evaluate an environment that consists of a container orchestration cluster. Which of the following tools should the tester use to evaluate the cluster?

ATrivy

BNessus

CGrype

DKube-hunter
Evaluating a container orchestration cluster, such as Kubernetes, requires specialized tools designed to assess the security and configuration of container environments. Here's an analysis of each tool and why Kube-hunter is the best choice:
Trivy (Option A):

Answer : D

Capabilities: While effective at scanning container images for vulnerabilities, it is not specifically designed to assess the security of a container orchestration cluster itself.

Nessus (Option B):

Capabilities: It is not tailored for container orchestration environments and may miss specific issues related to Kubernetes or other orchestration systems.

Grype (Option C):

Capabilities: Similar to Trivy, it focuses on identifying vulnerabilities in container images rather than assessing the overall security posture of a container orchestration cluster.

Kube-hunter (Answer: D):

Capabilities: It scans the Kubernetes cluster for a wide range of security issues, including misconfigurations and vulnerabilities specific to Kubernetes environments.

Conclusion: Kube-hunter is the most appropriate tool for evaluating a container orchestration cluster, such as Kubernetes, due to its specialized focus on identifying security vulnerabilities and misconfigurations specific to such environments.

Question 3

Which of the following OT protocols sends information in cleartext?

ATTEthernet

BDNP3

CModbus

DPROFINET
Operational Technology (OT) protocols are used in industrial control systems (ICS) to manage and automate physical processes. Here's an analysis of each protocol regarding whether it sends information in cleartext:
TTEthernet (Option A):

Answer : C

Security: It includes mechanisms for reliable and deterministic data transfer, not typically sending information in cleartext.

DNP3 (Option B):

Security: While the original DNP3 protocol transmits data in cleartext, the DNP3 Secure Authentication extensions provide cryptographic security features.

Modbus (Answer: C):

Security: Modbus transmits data in cleartext, which makes it susceptible to interception and unauthorized access.

Security: PROFINET includes several security features, including support for encryption, which means it doesn't necessarily send information in cleartext.

Conclusion: Modbus is the protocol that most commonly sends information in cleartext, making it vulnerable to eavesdropping and interception.

PROFINET (Option D):

Question 4

Which of the following post-exploitation activities allows a penetration tester to maintain persistent access in a compromised system?

ACreating registry keys

BInstalling a bind shell

CExecuting a process injection

DSetting up a reverse SSH connection

Answer : A

Maintaining persistent access in a compromised system is a crucial goal for a penetration tester after achieving initial access. Here's an explanation of each option and why creating registry keys is the preferred method:

Creating registry keys (Answer: A):

Advantages: This method is stealthy and can be effective in maintaining access over long periods, especially on Windows systems.

Example: Adding a new entry to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key to execute a malicious script upon system boot.

Drawbacks: This method is less stealthy and can be easily detected by network monitoring tools. It also requires an open port, which might be closed or filtered by firewalls.

Executing a process injection (Option C):

Drawbacks: While effective for evading detection, it doesn't inherently provide persistence. The injected code will typically be lost when the process terminates or the system reboots.

Setting up a reverse SSH connection (Option D):

Drawbacks: This method can be useful for maintaining a session but is less reliable for long-term persistence. It can be disrupted by network changes or monitoring tools.

Conclusion: Creating registry keys is the most effective method for maintaining persistent access in a compromised system, particularly in Windows environments, due to its stealthiness and reliability.

Installing a bind shell (Option B):

Question 5

Which of the following is the most efficient way to infiltrate a file containing data that could be sensitive?

AUse steganography and send the file over FTP

BCompress the file and send it using TFTP

CSplit the file in tiny pieces and send it over dnscat

DEncrypt and send the file over HTTPS

Answer : D

When considering efficiency and security for exfiltrating sensitive data, the chosen method must ensure data confidentiality and minimize the risk of detection. Here's an analysis of each option:

Use steganography and send the file over FTP (Option A):

Drawbacks: FTP is not secure as it transmits data in clear text, making it susceptible to interception. Steganography can add an extra layer of obfuscation, but the use of FTP makes this option insecure.

Compress the file and send it using TFTP (Option B):

Drawbacks: TFTP is inherently insecure because it does not support encryption, making it easy for attackers to intercept the data during transfer.

Split the file in tiny pieces and send it over dnscat (Option C):

Drawbacks: While effective at evading detection by using DNS, splitting the file and managing the reassembly adds complexity. Additionally, large data transfers over DNS can raise suspicion.

Encrypt and send the file over HTTPS (Answer: D):

Advantages: HTTPS is widely used and trusted, making it less likely to raise suspicion. Encryption ensures the data remains confidential during transit.

The use of HTTPS for secure data transfer is a standard practice in cybersecurity, providing both encryption and integrity of the data being transmitted.

Conclusion: Encrypting the file and sending it over HTTPS is the most efficient and secure method for exfiltrating sensitive data, ensuring both confidentiality and reducing the risk of detection.

Question 6

A penetration tester creates a list of target domains that require further enumeration. The tester writes the following script to perform vulnerability scanning across the domains:

line 1: #!/usr/bin/bash

line 2: DOMAINS_LIST = "/path/to/list.txt"

line 3: while read -r i; do

line 4: nikto -h $i -o scan-$i.txt &

line 5: done

The script does not work as intended. Which of the following should the tester do to fix the script?

AChange line 2 to {'domain1', 'domain2', 'domain3', }.

BChange line 3 to while true; read -r i; do.

CChange line 4 to nikto $i | tee scan-$i.txt.

DChange line 5 to done < '$DOMAINS_LIST'.

Answer : D

The issue with the script lies in how the while loop reads the file containing the list of domains. The current script doesn't correctly redirect the file's content to the loop. Changing line 5 to done < '$DOMAINS_LIST' correctly directs the loop to read from the file.

Step-by-Step Explanation

Original Script:

DOMAINS_LIST='/path/to/list.txt'

while read -r i; do

nikto -h $i -o scan-$i.txt &

done

Identified Problem:

The while read -r i; do loop needs to know which file to read lines from. Without redirecting the input file to the loop, it doesn't process any input.

Solution:

Add done < '$DOMAINS_LIST' to the end of the loop to specify the input source.

Corrected script:

DOMAINS_LIST='/path/to/list.txt'

while read -r i; do

nikto -h $i -o scan-$i.txt &

done < '$DOMAINS_LIST'

done < '$DOMAINS_LIST' ensures that the while loop reads each line from DOMAINS_LIST.

This fix makes the loop iterate over each domain in the list and run nikto against each.

Reference from Pentesting Literature:

Scripting a

Question 7

A penetration tester executes multiple enumeration commands to find a path to escalate privileges. Given the following command:

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Which of the following is the penetration tester attempting to enumerate?

AAttack path mapping

BAPI keys

CPasswords

DPermission

Answer : D

The command find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null is used to find files with the SUID bit set. SUID (Set User ID) permissions allow a file to be executed with the permissions of the file owner (root), rather than the permissions of the user running the file.

Step-by-Step Explanation

Understanding the Command:

find /: Search the entire filesystem.

-user root: Limit the search to files owned by the root user.

-perm -4000: Look for files with the SUID bit set.

-exec ls -ldb {} \;: Execute ls -ldb on each found file to list it in detail.

2>/dev/null: Redirect error messages to /dev/null to avoid cluttering the output.

Purpose:

Enumerating SUID Files: The command is used to identify files with elevated privileges that might be exploited for privilege escalation.

Security Risks: SUID files can pose security risks if they are vulnerable, as they can be used to execute code with root privileges.

Why Enumerate Permissions:

Identifying SUID files is a crucial step in privilege escalation as it reveals potential attack vectors that can be exploited to gain root access.

Reference from Pentesting Literature:

Enumeration of SUID files is a common practice in penetration testing, as discussed in various guides and write-ups.

HTB write-ups often detail how finding and exploiting SUID binaries can lead to root access on a target system.

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

CompTIA PT0-003 CompTIA PenTest+ Exam Practice Test