PT0-003 Exam Dumps - CompTIA PenTest+ Questions and Answers

The correct answer is A. Mimikatz

The KRBTGT account is a special Active Directory account used by the Key Distribution Center to encrypt and sign Kerberos tickets. If the KRBTGT account password has not been changed for a long time, and an attacker obtains the account hash, the attacker can use it to forge Kerberos Ticket Granting Tickets. This is known as a Golden Ticket attack.

Mimikatz is the tool commonly used to extract credentials, obtain Kerberos-related secrets, and create forged Kerberos tickets such as Golden Tickets. With a valid forged ticket, an attacker may maintain long-term domain persistence and impersonate privileged users.

B is incorrect because John the Ripper is primarily used for offline password cracking. It does not create or inject Kerberos Golden Tickets.

C is incorrect because Hashcat is also used for password/hash cracking. It may help crack hashes, but it is not the primary tool used to exploit a stale KRBTGT password through Golden Ticket creation.

D is incorrect because Hydra is an online password brute-force tool. It is not used for Kerberos ticket forgery.

In PenTest+ terms, this falls under Attacks and Exploits, specifically Active Directory attacks, Kerberos abuse, credential attacks, and Golden Ticket persistence.

By running the command findstr /SIM /C: " pass " *.txt *.cfg *.xml, the penetration tester is trying to enumerate secrets.

Command Analysis:

findstr: A command-line utility in Windows used to search for specific strings in files.

/SIM: Combination of options; /S searches for matching files in the current directory and all subdirectories, /I specifies a case-insensitive search, and /M prints only the filenames with matching content.

/C: " pass " : Searches for the literal string " pass " .

***.txt .cfg .xml: Specifies the file types to search within.

Objective:

The command is searching for the string " pass " within .txt, .cfg, and .xml files, which is indicative of searching for passwords or other sensitive information (secrets).

These file types commonly contain configuration details, credentials, and other sensitive data that might include passwords or secrets.

Other Options:

Configuration files: While .cfg and .xml files can be configuration files, the specific search for " pass " indicates looking for secrets like passwords.

Permissions: This command does not check or enumerate file permissions.

Virtual hosts: This command is not related to enumerating virtual hosts.

Pentest References:

Post-Exploitation: Enumerating sensitive information like passwords is a common post-exploitation activity after gaining initial access.

Credential Discovery: Searching for stored credentials within configuration files and documents to escalate privileges or move laterally within the network.

By running this command, the penetration tester aims to find stored passwords or other secrets that could help in further exploitation of the target system.

======

To maintain persistence after a reboot, the tester needs a method that automatically restarts when the system reboots.

Option A (Reverse shell) ❌: Reverse shells do not persist after a reboot unless paired with scheduled tasks or registry modifications.

Option B (Process injection) ❌: Injecting into a process is temporary—once the system reboots, the injected process is gone.

Option C (Scheduled task) ✅: Correct.

A scheduled task can execute malware, reverse shells, or scripts on system startup, ensuring persistence.

Example:

schtasks /create /sc onlogon /tn " SystemUpdate " /tr " C:\malicious.exe "

Option D (Credential dumping) ❌: While useful for privilege escalation, it does not provide persistence.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Persistence Techniques

During a penetration test, one of the critical steps for maintaining access and covering tracks is to clear evidence of the attack. Manipulating data to hide activities on an internal server involves ensuring that logs and traces of the attack are removed. Here ' s a detailed explanation of why clearing the Windows event logs is the best method for this scenario:

Understanding Windows Event Logs: Windows event logs are a key forensic artifact that records system, security, and application events. These logs can provide detailed information about user activities, system changes, and potential security incidents.

Why Clear Windows Event Logs:

Comprehensive Coverage: Clearing the event logs removes all recorded events, including login attempts, application errors, and security alerts. This makes it difficult for an investigator to trace back the actions performed by the attacker.

Avoiding Detection: Penetration testers clear event logs to ensure that their presence and activities are not detected by system administrators or security monitoring tools.

Method to Clear Event Logs:

Use the built-in Windows command line utility wevtutil to clear logs. For example:

shell

Copy code

wevtutil cl System

wevtutil cl Security

wevtutil cl Application

These commands clear the System, Security, and Application logs, respectively.

Alternative Options and Their Drawbacks:

Modify the System Time: Changing the system time can create confusion but is easily detectable and can be reverted. It does not erase existing log entries.

Alter Log Permissions: Changing permissions might prevent new entries but does not remove existing ones and can alert administrators to suspicious activity.

Reduce Log Retention Settings: This can limit future logs but does not affect already recorded logs and can be easily noticed by administrators.

Case References:

HTB Writeups: Many Hack The Box (HTB) writeups demonstrate the importance of clearing logs post-exploitation to maintain stealth. For example, in the " Gobox " and " Writeup " machines, maintaining a low profile involved managing log data to avoid detection​​​​.

Real-World Scenarios: In real-world penetration tests, attackers often clear logs to avoid detection by forensic investigators and incident response teams. This step is crucial during red team engagements and advanced persistent threat (APT) simulations.

In conclusion, clearing Windows event logs is a well-established practice for hiding activities during a penetration test. It is the most effective way to remove evidence of the attack from the system, thereby maintaining stealth and ensuring that the tester ' s actions remain undetected.

======

Dynamic Application Security Testing (DAST):

DAST tools interact with the running application from the outside, simulating attacks to identify security vulnerabilities.

They are particularly effective in identifying issues like SQL injection, XSS, CSRF, and other vulnerabilities in web applications.

DAST tools do not require access to the source code, making them suitable for black-box testing.

Advantages of DAST:

Real-World Testing: DAST simulates real-world attacks by interacting with the application in the same way a user would.

Comprehensive Coverage: Can identify vulnerabilities in all parts of the web application, including input fields, forms, and user interactions.

Automated Scanning: Automates the process of testing and identifying vulnerabilities, providing detailed reports on discovered issues.

Examples of DAST Tools:

OWASP ZAP (Zed Attack Proxy): An open-source DAST tool widely used for web application security testing.

Burp Suite: A popular commercial DAST tool that provides comprehensive scanning and testing capabilities.

Pentest References:

Web Application Testing: Understanding the importance of testing web applications for security vulnerabilities and the role of different testing methodologies.

Security Testing Tools: Familiarity with various security testing tools and their applications in penetration testing.

DAST vs. SAST: Knowing the difference between DAST (dynamic testing) and SAST (static testing) and when to use each method.

By using a DAST tool, the penetration tester can effectively identify all vulnerable input fields on the customer website, ensuring a thorough assessment of the application ' s security.

======

During an active PenTest+ engagement, goal changes are most commonly driven by new, material risk that affects the client’s threat landscape or business exposure. A publicly disclosed zero-day vulnerability can immediately change what the organization considers most critical because it may be actively exploited in the wild, may impact internet-facing systems, and may require urgent validation of compensating controls, patch readiness, or exposure level. In PenTest+ planning and scoping practices, the tester and client may revisit priorities mid-engagement when emerging threats create a higher likelihood of compromise or when leadership requires rapid answers (for example, “Are we vulnerable?” and “Can you prove impact?”).

Decommissioning an end-of-life server (A) typically reduces scope rather than reprioritizing goals, and it is a routine operational change. Not capturing artifacts (C) is a tester process/quality issue addressed through engagement management, not a client-driven reprioritization trigger. Assigning a new lead tester (D) is a staffing change and should not alter the client’s goals unless scope and requirements change. The zero-day disclosure is the clearest driver for reprioritization.

The correct answer is C. Prompt injection

Prompt injection occurs when an attacker crafts input that causes an AI system to ignore, bypass, or override its intended instructions, safety rules, or output restrictions. In this scenario, the chatbot accepts harmful or policy-violating variations, including malicious links, encoded data leakage, and abusive content. These are indicators that user-supplied prompts can manipulate the chatbot’s behavior.

A is incorrect because container escape involves breaking out of an isolated container environment to access the host or other containers. The question is about manipulating chatbot responses, not container isolation.

B is incorrect because output fuzzing is a testing technique that varies inputs to observe how outputs change. It may be used to discover the issue, but it is not the vulnerability being described.

D is incorrect because model manipulation generally refers to changing or poisoning the model itself, such as altering training data, weights, or behavior at the model level. The scenario describes malicious user inputs affecting responses, which is prompt injection.

In PenTest+ terms, this falls under Attacks and Exploits, specifically AI/LLM-related attacks, prompt injection, and testing for unsafe chatbot behavior.

Capturing plaintext credentials in network traffic is done using packet sniffing. Wireshark is the best tool for this task.

Option A (Burp Suite) ❌: Used for web application testing and intercepting HTTPS traffic, but not general network sniffing.

Option B (Wireshark) ✅: Correct.

Wireshark is a packet analysis tool that captures unencrypted network traffic, including plaintext credentials.

Option C (ZAP - Zed Attack Proxy) ❌: Similar to Burp Suite, but focused on web application security, not network packet capture.

Option D (Metasploit) ❌: Metasploit is used for exploitation rather than capturing traffic.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Packet Sniffing & Network Traffic Analysis

When concluding a penetration test, effectively communicating the need for vulnerability remediation is crucial. Here’s why the articulation of impact is the most important aspect:

Articulation of Cause (Option A):

This involves explaining the root cause of the vulnerabilities discovered during the penetration test.

Importance: While understanding the cause is essential for long-term remediation and prevention, it does not directly convey the urgency or potential consequences of the vulnerabilities.

Articulation of Impact (Option B):

This involves describing the potential consequences and risks associated with the vulnerabilities. It includes the possible damage, such as data breaches, financial losses, reputational damage, and operational disruptions.

Importance: The impact provides the client with a clear understanding of the severity and urgency of the issues. It helps prioritize remediation efforts based on the potential damage that could be inflicted if the vulnerabilities are exploited.

The OSSTMM (Open Source Security Testing Methodology Manual) is a comprehensive framework for security testing that includes 14 components in its life cycle. Here’s why option B is correct:

OSSTMM: This methodology breaks down the security testing process into 14 components, covering various aspects of security assessment, from planning to execution and reporting.

OWASP MASVS: This is a framework for mobile application security verification and does not have a 14-component life cycle.

MITRE ATT & CK: This is a knowledge base of adversary tactics and techniques but does not describe a 14-component life cycle.

CREST: This is a certification body for penetration testers and security professionals but does not provide a specific 14-component framework.

References from Pentest:

Anubis HTB: Emphasizes the structured approach of OSSTMM in conducting comprehensive security assessments​​.

Writeup HTB: Highlights the use of detailed methodologies like OSSTMM to cover all aspects of security testing​​.

Conclusion:

Option B, OSSTMM, is the framework that breaks the life cycle into 14 components, making it the correct answer.

======