Question 1

[Attacks and Exploits]
A penetration tester is performing an authorized physical assessment. During the test, the tester
observes an access control vestibule and on-site security guards near the entry door in the lobby.
Which of the following is the best attack plan for the tester to use in order to gain access to the
facility?

Accepted Answer

C

Explanation: The command shown is a classic example of a Directory Traversal (also known as Path Traversal) attack. The payload 2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd is a URL-encoded string. When decoded, %2e becomes . and %2f becomes /. The resulting string is ../../../../etc/passwd. The ../ sequence is used to navigate up the file system's directory structure. The attacker's goal is to move outside of the web server's root directory to access sensitive system files, in this case, /etc/passwd, by exploiting a lack of input sanitization on the id parameter.

Question 2

[Attacks and Exploits]
During an internal penetration test, a tester compromises a Windows OS-based endpoint and
bypasses the defensive mechanisms. The tester also discovers that the endpoint is part of an Active
Directory (AD) local domain.
The tester’s main goal is to leverage credentials to authenticate into other systems within the Active
Directory environment.
Which of the following steps should the tester take to complete the goal?

Accepted Answer

A

Explanation: The tester's goal is to leverage credentials from a compromised domain-joined Windows endpoint for lateral movement within the Active Directory (AD) environment. Mimikatz is a post-exploitation tool specifically designed to extract credentials from memory, particularly from the Local Security Authority Subsystem Service (LSASS) process. On a domain-joined machine, LSASS often caches domain user credentials, including plaintext passwords, NTLM hashes, and Kerberos tickets. By running Mimikatz, the tester can dump these credentials and use them in attacks like Pass-the-Hash or Pass-the-Ticket to authenticate to other systems on the domain, directly fulfilling the objective.

Question 3

[Attacks and Exploits] During an assessment, a penetration tester gains a low-privilege shell and then runs the following command:

findstr /SIM /C:"pass" *.txt *.cfg *.xml

Which of the following is the penetration tester trying to enumerate?

Accepted Answer

D

Explanation: The command findstr /SIM /C:"pass" .txt .cfg .xml is a classic post-exploitation technique used to hunt for credentials and other sensitive information. The findstr utility searches for the string "pass" (case-insensitively) within common file types known to store configuration data and notes (.txt, .cfg, .xml). The goal is to locate hardcoded passwords, API keys, connection strings, or other confidential data, which are collectively referred to as "secrets." Discovering these secrets can enable privilege escalation or lateral movement within the target network.

Question 4

A penetration tester cannot complete a full vulnerability scan because the client's WAF is blocking
communications. During which of the following activities should the penetration tester discuss this
issue with the client?

Accepted Answer

D

Explanation: When a technical control, such as a Web Application Firewall (WAF), prevents the execution of an agreed-upon testing activity, it represents a significant obstacle that impacts the engagement's scope and timeline. The correct procedure is to pause the activity and communicate with the client. This communication process is known as stakeholder alignment. It ensures that the tester and client agree on a path forward, which could involve whitelisting the tester's IP address, temporarily modifying WAF rules, or adjusting the testing methodology. This proactive communication maintains transparency and ensures the engagement proceeds according to the client's direction and the established rules of engagement.

Question 5

[Tools and Code Analysis] Which of the following techniques is the best way to avoid detection by data loss prevention tools?

Accepted Answer

A

Explanation: Endpoint and network-based DLP engines rely on clear-text inspection (regex, tokenisation, fingerprinting). They automatically unpack common archive formats and will usually block or quarantine traffic or files that are encrypted with unknown keys. However, many products do not recursively decode arbitrary content that has only been base-64/URL/hex encoded, so the sensitive byte patterns never appear in clear text to the detection engine. Simple content encoding therefore remains the most reliable, low-noise method for evading DLP inspection during a penetration test.

Question 6

[Attacks and Exploits]
A penetration tester is performing an authorized physical assessment. During the test, the tester
observes an access control vestibule and on-site security guards near the entry door in the lobby.
Which of the following is the best attack plan for the tester to use in order to gain access to the
facility?

Accepted Answer

A

Explanation: The question asks to identify the target most likely to be attacked. The Exploit Prediction Scoring System (EPSS) is the primary metric for this, as it estimates the probability that a vulnerability will be exploited. Targets 1 and 3 have the highest EPSS score (0.6), indicating they are the most likely candidates. To decide between these two, the Common Vulnerability Scoring System (CVSS) score is used as a secondary factor. CVSS measures the technical severity of a vulnerability. An attacker will prioritize the target with the higher severity. Target 1 has a CVSS score of 4, while Target 3 has a score of 1. Therefore, Target 1 is the most attractive and likely target.

Question 7

[Attacks and Exploits]
A penetration tester is performing an authorized physical assessment. During the test, the tester
observes an access control vestibule and on-site security guards near the entry door in the lobby.
Which of the following is the best attack plan for the tester to use in order to gain access to the
facility?

Accepted Answer

C

Explanation: The provided payload is a classic example of an XML External Entity (XXE) injection attack. The vulnerability exists because the application's XML parser is configured to process external entities defined within a Document Type Definition (DTD). The payload defines an entity &foo; that points to a local system file (/etc/passwd). When the parser resolves this entity, it includes the file's contents in the response. The most direct and effective method to prevent this vulnerability is to disable the processing of external entities and DTDs within the XML parser configuration. This remediation addresses the root cause at the application level, rendering it immune to this attack vector.

Question 8

[Attacks and Exploits]
A penetration tester is performing an authorized physical assessment. During the test, the tester
observes an access control vestibule and on-site security guards near the entry door in the lobby.
Which of the following is the best attack plan for the tester to use in order to gain access to the
facility?

Accepted Answer

B

Explanation: The most effective attack plan is tailgating during a busy period. This social engineering technique exploits the human tendency to be less vigilant when rushed or in a crowd. An access control vestibule (mantrap) and security guards are designed to prevent unauthorized entry, but their effectiveness diminishes during high-traffic times. An attacker can blend in with a group of legitimate employees, making it difficult for guards to challenge every individual and potentially bypassing the one-person-at-a-time mechanism of the vestibule if protocols are relaxed due to the rush. This method directly targets the weakest link—human factors—to achieve the primary goal of initial physical access.

Question 9

[Attacks and Exploits]
A penetration tester is performing an authorized physical assessment. During the test, the tester
observes an access control vestibule and on-site security guards near the entry door in the lobby.
Which of the following is the best attack plan for the tester to use in order to gain access to the
facility?

Accepted Answer

A

Explanation: The primary goal is to prevent a payload from being blocked by antimalware. The command in option A utilizes msfvenom with the --encoder x86-64/shikataganai flag. Encoders are used to obfuscate shellcode, altering its signature to evade detection by signature-based security solutions like antimalware. The shikataganai encoder is a well-known polymorphic encoder designed for this purpose. By encoding the windows/bindtcp payload, the tester is actively attempting to bypass the target's defenses, which directly addresses the question's requirement.

Question 10

During an assessment, a penetration tester sends the following request:

POST /services/v1/users/create HTTP/1.1

Host: target-application.com Content-Type:

application/json Content-Length: [dynamic]

Authorization: Bearer (FUZZ)

Which of the following attacks is the penetration tester performing?

Accepted Answer

B

Explanation: The HTTP request is directed at an API endpoint, as indicated by the URL path /services/v1/users/create. The penetration tester is using a fuzzing technique, denoted by (FUZZ), to systematically inject malformed or unexpected data into the Authorization: Bearer header. This action is a direct attempt to test the API's authentication and authorization mechanisms for vulnerabilities, such as weak token validation, improper error handling, or authentication bypasses. Probing an API's security controls in this manner is a form of security testing that falls under the broad category of API abuse.

Question 11

HOTSPOT [Information Gathering and Vulnerability Scanning] A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest. INSTRUCTIONS Select the tool the penetration tester should use for further investigation. Select the two entries in the robots.txt file that the penetration tester should recommend for removal. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_127_img_1.jpg

Accepted Answer

PART 1: TOOL SELECTION

CORRECT ANSWER: WPSCAN

PART 2: ENTRIES FOR REMOVAL

CORRECT ANSWER:
14 ALLOW: /ADMIN
15 ALLOW: /WP-ADMIN

Explanation: The robots.txt file explicitly lists paths such as /wp-admin and /wp-login.php . These are default paths for a WordPress content management system (CMS). WPScan is a specialized vulnerability scanner designed specifically to enumerate users, plugins, themes, and check for known security weaknesses in WordPress installations. Therefore, it is the most appropriate and precise tool for conducting a more in-depth investigation based on the initial reconnaissance. The other tools are incorrect as Mimikatz is for credential extraction, Brakeman is for Ruby on Rails, and SQLmap is for SQL injection testing. The robots.txt file is not a security mechanism; it is a public file that provides instructions to web crawlers. Listing sensitive directory paths, such as administrative portals ( /admin , /wp-admin ), in this file is a significant security misconfiguration. It provides attackers with direct knowledge of where to focus their efforts to find login pages and attempt unauthorized access. Recommending the removal of these entries helps to prevent this information disclosure, a practice aligned with the principle of security through obscurity as a supplementary defense layer.

Question 12

[Attacks and Exploits] A previous penetration test report identified a host with vulnerabilities that was successfully exploited. Management has requested that an internal member of the security team reassess the host to determine if the vulnerability still exists. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_128_img_1.jpg Part 1: . Analyze the output and select the command to exploit the vulnerable service. Part 2: . Analyze the output from each command. · Select the appropriate set of commands to escalate privileges. · Identify which remediation steps should be taken. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_129_img_1.jpg

Accepted Answer

PART 1: EXPLOIT VULNERABLE SERVICE

CORRECT ANSWER: HYDRA -L LOWPRIV -P 500-WORST-PASSWORDS.TXT -T 4 SSH://192.168.10.2:22

PART 2: PRIVILEGE ESCALATION & REMEDIATION

PRIVILEGE ESCALATION COMMANDS

CORRECT ANSWER: PERL -LE 'PRINT CRYPT("PASSWORD", "AA")' FOLLOWED BY THE CAT, ECHO, AND CP COMMANDS TO OVERWRITE /ETC/PASSWD.

REMEDIATION STEPS

CORRECT ANSWERS (SELECT TWO):
STRENGTHEN PASSWORD OF LOWPRIV ACCOUNT
REMOVE SUID BIT FROM CP

Explanation: The reconnaissance phase using nmap reveals that the SSH service on port 22 is open . The enumeration phase with enum4linux identifies lowpriv as a valid username. The selected hydra command correctly targets the open SSH service to perform a dictionary-based brute-force attack against the known user lowpriv . The other options are incorrect because they target services that the nmap scan explicitly lists as closed ( telnet , rdp , rpcbind ), making them impossible to exploit. This makes the hydra command the only viable option to gain initial access. This sequence is a classic method for privilege escalation on improperly configured Linux systems. By adding a new user with a User ID (UID) of 0 to the /etc/passwd file, that user gains root-level privileges. This attack's success hinges on the attacker having write permissions to the /etc/passwd file. Such permissions might exist directly on the file or be obtained by exploiting a utility with the SUID (Set User ID) bit enabled, such as cp , which was specifically searched for during reconnaissance ( find / -perm -u=s ). A complete remediation addresses both the initial point of compromise and the method of escalation. The initial access was achieved by brute-forcing a weak password on the lowpriv account. Therefore, strengthening the password and implementing a strong password policy is the direct remediation for this vector. The privilege escalation was accomplished by overwriting the /etc/passwd file. The reconnaissance command find / -perm -u=s indicates the attacker was looking for SUID vulnerabilities. An SUID bit on the cp command would allow a low-privilege user to run it with root permissions, enabling the overwrite of a system file. Removing unnecessary SUID bits from system binaries is a critical security hardening practice to prevent this escalation path.

Question 13

HOTSPOT -You are a security analyst tasked with hardening a web server. You have been given a list of HTTP payloads that were flagged as malicious.

INSTRUCTION - Giving the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. Hot Area:

Accepted Answer

HERE IS A BREAKDOWN OF THE CORRECT SELECTIONS FOR EACH PAYLOAD:

PAYLOAD 1: LOOKUP=WHOAMI
VULNERABILITY TYPE: COMMAND INJECTION
REMEDIATION: PREVENTING EXTERNAL CALLS
PAYLOAD 2: SEARCH=BOB%3CIMG%20SRC...
VULNERABILITY TYPE: REFLECTED CROSS SITE SCRIPTING
REMEDIATION: INPUT SANITIZATION ', ", ;, <, >, &
PAYLOAD 3: LOGFILE=%2FETC%2FPASSWD%00
VULNERABILITY TYPE: LOCAL FILE INCLUSION
REMEDIATION: INPUT SANITIZATION /..
PAYLOAD 4: INNER-TAB"><SCRIPT>ALERT(1);</SCRIPT>
VULNERABILITY TYPE: DOM-BASED CROSS SITE SCRIPTING
REMEDIATION: INPUT SANITIZATION ', ", ;, <, >, &
PAYLOAD 5: SITE=...PING%20-C%2010...
VULNERABILITY TYPE: COMMAND INJECTION
REMEDIATION: PREVENTING EXTERNAL CALLS
PAYLOAD 6: REDIS=HTTP%3A%2F%2FWWW.MALICIOUS-SITE.COM
VULNERABILITY TYPE: URL REDIRECT
REMEDIATION: INPUT SANITIZATION ', ", ;, <, >, &
PAYLOAD 7: ITEM=WIDGET';WAITFOR%20DELAY...
VULNERABILITY TYPE: SQL INJECTION (STACKED)
REMEDIATION: PARAMETERIZED QUERIES
PAYLOAD 8: ITEM=WIDGET%20UNION%20SELECT...
VULNERABILITY TYPE: SQL INJECTION (UNION)
REMEDIATION: PARAMETERIZED QUERIES
PAYLOAD 9: ITEM=WIDGET'+CONVERT(INT, @@VERSION)+'
VULNERABILITY TYPE: SQL INJECTION (ERROR)
REMEDIATION: PARAMETERIZED QUERIES
PAYLOAD 10: LOGFILE=HTTP%3A%2F%2F...SHELL.TXT
VULNERABILITY TYPE: REMOTE FILE INCLUSION
REMEDIATION: INPUT SANITIZATION /..

Explanation: The solution correctly identifies ten common web application attack vectors and maps them to their specific vulnerability types and most effective remediation strategies. Command Injection ( whoami , ping ) involves executing OS commands and is best mitigated by fundamentally disallowing the application from making shell calls ( Preventing external calls ). SQL Injection ( waitfor , union select , convert ) is most effectively prevented using parameterized queries (prepared statements), which ensure user input is treated as data, not executable code. Cross-Site Scripting (XSS) payloads are remediated by input sanitization , specifically output encoding of characters like < , > , and " to prevent the browser from interpreting them as active content. File Inclusion (LFI/RFI) attacks are mitigated by sanitizing path-related characters ( / , .. ) to prevent directory traversal or inclusion of unauthorized files. URL Redirects are mitigated by validating and sanitizing user-supplied URLs to prevent redirection to malicious sites.

Question 14

[Attacks and Exploits] You are a penetration tester running port scans on a server. INSTRUCTIONS Part 1: Given the output, construct the command that was used to generate this output from the available options. Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_93_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_94_img_1.jpg

Accepted Answer

PART 1: COMMAND CONSTRUCTION

CORRECT ANSWER: NMAP -SV -O --TOP-PORTS=100 192.168.2.2

PART 2: ATTACK VECTOR IDENTIFICATION

CORRECT ANSWER:
WEAK SMB FILE PERMISSIONS
NULL SESSION ENUMERATION

Explanation: For Part 1 , the command is derived directly from the scan output. The presence of SERVICE VERSION requires the -sV switch for version detection. The detailed operating system information ( Running: Linux 2.4.X ) requires the -O switch for OS detection. The summary line "Not shown: 96 closed ports" combined with the 4 visible open ports confirms that exactly 100 ports were scanned, corresponding to the --top-ports=100 option. The scan log indicates a single host was targeted. For Part 2 , the open TCP ports 139 ( netbios-ssn ) and 445 ( microsoft-ds ) indicate active SMB services. These services are historically susceptible to information gathering and misconfiguration exploits. A null session enumeration is a primary technique for anonymously querying these services to gather intelligence like usernames and share names. Following enumeration, testing for weak SMB file permissions on any accessible shares is a standard and critical step for a penetration tester.

Question 15

SIMULATION - A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets. INSTRUCTIONS - Select the appropriate answer(s), given the output from each section. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_111_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_112_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_113_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_114_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_115_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_116_img_1.jpg

Accepted Answer

PART 1: THEHARVESTER ANALYSIS (IMAGE_8AC2B5.PNG)

CORRECT ANSWER (TOOL): THEHARVESTER
CORRECT ANSWER (COMMAND): THEHARVESTER -D SOMECLOUDDOMAIN.ORG -L 200 -B GOOGLE.COM

PART 2: DNS COMMAND ANALYSIS (IMAGE_8AC2AD.PNG)

CORRECT ANSWER:
$ DIG @8.8.8.8 +NOALL +ANSWER SOMECLOUDDOMAIN.ORG
> NSLOOKUP SOMECLOUDDOMAIN.ORG 8.8.8.8

PART 3: WHOIS DATA ANALYSIS (IMAGE_8AC28E.PNG)

WHERE IS THE DOMAIN BEING HOSTED?
CORRECT ANSWER: AMAZON
WHO REGISTERED THE DOMAIN?
CORRECT ANSWER: LOCALCOMPUTERPRO'S, INC.
WHEN WAS THE DOMAIN REGISTERED?
CORRECT ANSWER: 1993-09-22T04:00:38Z

Explanation: The output shown in the Output 3 tab is characteristic of TheHarvester , a tool used for open-source intelligence (OSINT) gathering. It enumerates emails, subdomains, hosts, and other information from public sources like search engines. The command theharvester -d someclouddomain.org -l 200 -b google.com correctly specifies the target domain ( -d someclouddomain.org ), limits the search to 200 results ( -l 200 ), and uses Google as the data source ( -b google.com ), all of which align with the details presented in the output. The scenario states that the local DNS server ( 192.168.20.66 ) lacks internet access, forcing the use of the public DNS server at 8.8.8.8 . The nslookup someclouddomain.org 8.8.8.8 command explicitly queries the correct public server, matching the nslookup output. The dig @8.8.8.8 ... command is the only dig option that correctly directs the query to the functional public DNS server. The other dig options would fail as they either query the offline local server or the default server (which is the offline local server). These answers are found by analyzing the whois information in the Output 1 tab . Hosting: The whois query for the IP address 245.62.183.203 (an IP for the domain from Output 2) shows the owning organization is "Amazon.com, Inc." , indicating it's hosted on their infrastructure (e.g., AWS). Registrar: The whois query for the domain someclouddomain.org explicitly lists the "Registrar: LocalComputerPro's, Inc." Registration Date: The same domain whois report shows the "Creation Date: 1993-09-22T04:00:38Z" .

Free Top CompTIA Pentest+ PT0-003 Actual Exam Questions