CompTIA PT0-003 CompTIA PenTest+ Exam Online Training

Question #51

A penetration tester needs to test a very large number of URLs for public access. Given the following code snippet:

1 import requests

2 import pathlib

3

4 for url in pathlib.Path("urls.txt").read_text().split("n"):

5 response = requests.get(url)

6 if response.status == 401:

7 print("URL accessible")

Which of the following changes is required?

A . The condition on line 6
B . The method on line 5
C . The import on line 1
D . The delimiter in line 3

Reveal Solution Hide Solution

Question #52

As part of an engagement, a penetration tester wants to maintain access to a compromised system after rebooting.

Which of the following techniques would be best for the tester to use?

A . Establishing a reverse shell
B . Executing a process injection attack
C . Creating a scheduled task
D . Performing a credential-dumping attack

Reveal Solution Hide Solution

Question #53

In a file stored in an unprotected source code repository, a penetration tester discovers the following line of code:

sshpass -p donotchange ssh [email protected]

Which of the following should the tester attempt to do next to take advantage of this information? (Select two).

A . Use Nmap to identify all the SSH systems active on the network.
B . Take a screen capture of the source code repository for documentation purposes.
C . Investigate to find whether other files containing embedded passwords are in the code repository.
D . Confirm whether the server 192.168.6.14 is up by sending ICMP probes.
E . Run a password-spraying attack with Hydra against all the SSH servers.
F . Use an external exploit through Metasploit to compromise host 192.168.6.14.

Reveal Solution Hide Solution

Correct Answer: B, C
B, C

Explanation:

When a penetration tester discovers hard-coded credentials in a file within an unprotected source code repository, the next steps should focus on documentation and further investigation to identify additional security issues.

Taking a Screen Capture (Option B):

Documentation: It is essential to document the finding for the final report. A screen capture provides concrete evidence of the discovered hard-coded credentials.

Audit Trail: This ensures that there is a record of the vulnerability and can be used to communicate the issue to stakeholders, such as the development team or the client. Investigating for Other Embedded Passwords (Option C):

Thorough Search: Finding one hard-coded password suggests there might be others. A thorough investigation can reveal additional credentials, which could further compromise the security of the system.

Automation Tools: Tools like truffleHog, git-secrets, and grep can be used to scan the repository for

other instances of hard-coded secrets.

Pentest

Reference: Initial Discovery: Discovering hard-coded credentials often occurs during source code review or automated scanning of repositories.

Documentation: Keeping detailed records of all findings is a critical part of the penetration testing process. This ensures that all discovered vulnerabilities are reported accurately and comprehensively.

Further Investigation: After finding a hard-coded credential, it is best practice to look for other security issues within the same repository. This might include other credentials, API keys, or sensitive information.

Steps to Perform:

Take a Screen Capture:

Use a screenshot tool to capture the evidence of the hard-coded credentials. Ensure the capture includes the context, such as the file path and relevant code lines.

Investigate Further:

Use tools and manual inspection to search for other embedded passwords.

Commands such as grep can be helpful:

grep -r ‘password’ /path/to/repository

Tools like truffleHog can search for high entropy strings indicative of secrets:

trufflehog –regex –entropy=True /path/to/repository

By documenting the finding and investigating further, the penetration tester ensures a comprehensive assessment of the repository, identifying and mitigating potential security risks effectively.

Question #54

During a security assessment for an internal corporate network, a penetration tester wants to gain unauthorized access to internal resources by executing an attack that uses software to disguise itself as legitimate software.

Which of the following host-based attacks should the tester use?

A . On-path
B . Logic bomb
C . Rootkit
D . Buffer overflow

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A rootkit is a type of malicious software designed to provide an attacker with unauthorized access to a computer system while concealing its presence. Rootkits achieve this by modifying the host’s operating system or other software to hide their existence, allowing the attacker to maintain control over the system without detection.

Step-by-Step Explanation

Definition and Purpose:

Rootkits are primarily used to gain and maintain root access (administrative privileges) on a system.

They disguise themselves as legitimate software or integrate deeply into the operating system to avoid detection.

Mechanisms of Action:

Kernel Mode Rootkits: These operate at the kernel level, which is the core of the operating system, making them very powerful and hard to detect.

User Mode Rootkits: These run in the same space as user applications, intercepting and altering standard system API calls to hide their presence.

Bootkits: These infect the Master Boot Record (MBR) or Volume Boot Record (VBR) and load before the operating system, making them extremely difficult to detect and remove. Detection and Prevention:

Detection Tools: Tools like RootkitRevealer, Chkrootkit, and rkhunter can help in identifying rootkits. Prevention: Regular system updates, use of strong antivirus and anti-malware solutions, and integrity checking tools like Tripwire can help in preventing rootkit infections. Real-World Examples:

Sony BMG Rootkit: In 2005, Sony BMG included a rootkit in their digital rights management (DRM) software on music CDs. The rootkit hid files and processes, leading to a major scandal when it was discovered.

Stuxnet: This sophisticated worm included a rootkit component to hide its presence on infected systems, making it one of the most infamous examples of rootkit use in a cyber attack. Reference from Pentesting Literature:

In "Penetration Testing – A Hands-on Introduction to Hacking" by Georgia Weidman, rootkits are discussed in the context of post-exploitation, where maintaining access to the compromised system is crucial.

Various HTB write-ups, such as the analysis of complex attacks involving multiple stages of exploitation, often highlight the use of rootkits in maintaining persistent access.

Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups on sophisticated attacks

Question #55

A penetration tester assesses a complex web application and wants to explore potential security weaknesses by searching for subdomains that might have existed in the past.

Which of the following tools should the penetration tester use?

A . Censys.io
B . Shodan
C . Wayback Machine
D . SpiderFoot

Reveal Solution Hide Solution

Question #56

During the reconnaissance phase, a penetration tester collected the following information from the DNS records:

A—–> www

A—–> host

TXT –> vpn.comptia.org

SPF—> ip =2.2.2.2

Which of the following DNS records should be in place to avoid phishing attacks using spoofing domain techniques?

A . MX
B . SOA
C . DMARC
D . CNAME

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that helps prevent email spoofing and phishing. It builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a mechanism for email senders and receivers to improve and monitor the protection of the domain from fraudulent email.

Step-by-Step Explanation

Understanding DMARC:

SPF: Defines which IP addresses are allowed to send emails on behalf of a domain.

DKIM: Provides a way to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain.

DMARC: Uses SPF and DKIM to determine the authenticity of an email and specifies what action to

take if the email fails the authentication checks.

Implementing DMARC:

Create a DMARC policy in your DNS records. This policy can specify to reject, quarantine, or take no action on emails that fail SPF or DKIM checks.

Example DMARC record: v=DMARC1; p=reject; rua=mailto:[email protected];

Benefits of DMARC:

Helps to prevent email spoofing and phishing attacks.

Provides visibility into email sources through reports.

Enhances domain reputation by ensuring only legitimate emails are sent from the domain.

DMARC Record Components:

v: Version of DMARC.

p: Policy for handling emails that fail the DMARC check (none, quarantine, reject). rua: Reporting URI of aggregate reports.

ruf: Reporting URI of forensic reports.

pct: Percentage of messages subjected to filtering. Real-World Example:

A company sets up a DMARC policy with p=reject to ensure that any emails failing SPF or DKIM checks are rejected outright, significantly reducing the risk of phishing attacks using their domain. Reference from Pentesting Literature:

In "Penetration Testing – A Hands-on Introduction to Hacking," DMARC is mentioned as part of email security protocols to prevent phishing.

HTB write-ups often highlight the importance of DMARC in securing email communications and preventing spoofing attacks.

Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups

Question #57

A penetration tester discovers data to stage and exfiltrate. The client has authorized movement to the tester’s attacking hosts only.

Which of the following would be most appropriate to avoid alerting the SOC?

A . Apply UTF-8 to the data and send over a tunnel to TCP port 25.
B . Apply Base64 to the data and send over a tunnel to TCP port 80.
C . Apply 3DES to the data and send over a tunnel UDP port 53.
D . Apply AES-256 to the data and send over a tunnel to TCP port 443.

Reveal Solution Hide Solution

Question #58

A penetration tester gains access to a domain server and wants to enumerate the systems within the domain.

Which of the following tools would provide the best oversight of domains?

A . Netcat
B . Wireshark
C . Nmap
D . Responder

Reveal Solution Hide Solution

Question #59

A penetration tester plans to conduct reconnaissance during an engagement using readily available resources.

Which of the following resources would most likely identify hardware and software being utilized by the client?

A . Cryptographic flaws
B . Protocol scanning
C . Cached pages
D . Job boards

Reveal Solution Hide Solution

Question #60

During an assessment, a penetration tester manages to get RDP access via a low-privilege user.

The tester attempts to escalate privileges by running the following commands: Import-Module .PrintNightmare.ps1

Invoke-Nightmare -NewUser "hacker" -NewPassword "Password123!" -DriverName "Print"

The tester attempts to further enumerate the host with the new administrative privileges by using the runas command. However, the access level is still low.

Which of the following actions should the penetration tester take next?

A . Log off and log on with "hacker".
B . Attempt to add another user.
C . Bypass the execution policy.
D . Add a malicious printer driver.

Reveal Solution Hide Solution