Practice set
CompTIA PenTest+ PT0-002 questions
Question 1hardmultiple choice
Full question →A penetration tester discovers a remote command injection vulnerability in a Java-based web application on a Windows server. The tester wants to execute a PowerShell reverse shell. Which encoding technique is most effective to avoid filter restrictions on special characters?
Question 2easymultiple choice
Full question →A penetration tester is analyzing a Bash script that contains the following line: 'for ip in $(cat ip_list.txt); do nc -zv $ip 22; done'. What is the primary purpose of this script?
Question 3mediummultiple choice
Full question →A penetration tester discovers a Java application that deserializes user-controlled data without validation. The tester crafts a malicious serialized object that executes a command upon deserialization. The application runs on a Linux server with a standard Java runtime. Which of the following is the most likely outcome if the malicious object is accepted?
Question 4mediummultiple choice
Full question →A penetration tester is writing the executive summary for a report. The client's CEO needs to understand the business impact of a critical SQL injection vulnerability. Which of the following should the tester include?
Question 5mediummultiple choice
Full question →A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester discovers a binary with the SUID bit set that belongs to root and is known to have a buffer overflow vulnerability. What is the MOST effective next step to escalate privileges?
Question 6hardmultiple choice
Full question →A penetration tester has obtained a TGT from a domain controller by cracking the krbtgt hash. Which attack can the tester now perform to gain persistent administrative access to any resource in the domain?
Question 7mediummulti select
Full question →A penetration tester is performing passive reconnaissance against a target domain. Which of the following resources can be used to gather information about the target without directly sending packets to the target's network? (Select two.) (Choose 2.)
Question 8easymultiple choice
Full question →A penetration tester is writing the executive summary for the final report. The CEO needs to understand the overall risk level and the business impact of the findings. Which of the following should be included in the executive summary?
Question 9easymultiple choice
Full question →A penetration tester is writing the executive summary of a penetration test report. Which of the following elements is MOST important to include for a non-technical audience?
Question 10easymultiple choice
Full question →A penetration tester is writing the executive summary of a report for a client. The client's executive team needs to understand the overall risk posture. Which of the following should be included in the executive summary?
Question 11easymultiple choice
Full question →A penetration testing firm is hired to assess a client's web application that integrates with a third-party payment processor's API. The client wants to include the payment processor's API in the test scope. Which action should the tester take FIRST?
Question 12mediummultiple choice
Full question →A penetration tester is analyzing a Bash script that uses the tool 'curl' to send HTTP requests. The script contains the following line: curl -X POST -d "username=admin&password[$ne]=a" http://target/login. Which type of attack is this script most likely attempting?
Question 13easymultiple choice
Full question →A penetration tester is analyzing a Bash script used for post-exploitation enumeration. The script contains the line: `cat /etc/shadow | awk -F: '{print $1, $2}'`. What is the primary purpose of this command?
Question 14mediummultiple choice
Full question →A penetration tester is analyzing a PowerShell script that contains the following code: Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -like "* *"} | Select-Object Name, PathName, State What is the primary purpose of this script?
Question 15mediummultiple choice
Full question →A client review of a penetration test report reveals confusion about why a particular vulnerability exists. The client's security engineer wants to understand the root cause and the exact steps to reproduce the issue. Which section of the report should the tester point the engineer to?
Question 16mediummultiple choice
Full question →A penetration tester has completed the test and is writing the findings section. For a critical vulnerability, the tester wants to provide a clear and actionable remediation recommendation. Which of the following is the best practice for writing this recommendation?
Question 17mediummultiple choice
Full question →A client is planning a penetration test of their internal network but refuses to provide network diagrams or access to a staging environment. The tester is concerned about causing a denial of service (DoS) on critical systems. Which clause should be included in the rules of engagement to mitigate this risk?
Question 18mediummultiple choice
Full question →A client requests a penetration test that includes both their internal network and a third-party cloud service provider's infrastructure. The cloud provider has not given permission for testing. Which action should the penetration tester take regarding the cloud provider's assets?
Question 19easymultiple choice
Full question →A client requests a penetration test that simulates an external attacker with no prior knowledge of the internal network. The tester is not provided with any credentials, network diagrams, or source code. Which type of test does this describe?
Question 20mediummultiple choice
Full question →A client requires a penetration test of their web application that uses Single Sign-On (SSO) with a third-party identity provider. The client is concerned that testing could lock out real user accounts and disrupt operations. Which of the following should be included in the rules of engagement to address this concern?
Question 21easymultiple choice
Full question →A client asks a penetration tester to perform a test on an e-commerce website. The website experiences high traffic during weekdays and major sales events. To minimize business disruption, when should the tester schedule the active scanning and exploitation activities?
Question 22mediummultiple choice
Full question →A client asks why a medium-severity finding should be remediated before a high-severity finding. The medium finding is internet-facing and actively exploited; the high finding is isolated in a lab subnet. What is the best explanation?
Question 23mediummultiple choice
Full question →A client engages a penetration testing firm to evaluate the security of their internal network. During the scoping meeting, the client states that they use a network access control (NAC) solution that might block the tester's machine if it is connected to the internal network without prior authorization. Which of the following should be included in the rules of engagement to address this potential issue?
Question 24hardmultiple choice
Full question →