CompTIA PenTest+ PT0-002 (PT0-002) — Questions 976993

993 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQmedium

During a Linux privilege escalation attempt, a tester finds a binary with the SUID bit set that is not on the GTFOBins list. The binary executes /bin/bash with the effective UID of root. What is the most likely way to exploit this?

A.Use GTFOBins to find a suitable exploit
B.Perform a buffer overflow on the binary
C.Run the binary with the -p flag
D.Modify the PATH to include a fake binary
AnswerC

Running a SUID binary that spawns a shell with -p preserves the effective UID, giving root.

Why this answer

If a binary runs a shell or command as root, the tester can simply run it to get a root shell.

977
MCQeasy

A tester is attempting to crack WPA2 handshakes captured from a wireless network. Which hashcat mode should be used?

A.-m 13100
B.-m 1000
C.-m 0
D.-m 22000
AnswerD

Correct: Mode 22000 is for WPA/WPA2.

Why this answer

Hashcat mode 22000 is used for WPA-PBKDF2-PMKID+EAPOL (WPA/WPA2) handshakes.

978
MCQmedium

A penetration tester wants to fuzz a network protocol to find buffer overflows. Which tool is most appropriate?

A.John the Ripper
B.Peach Fuzzer
C.Nessus
D.Wireshark
AnswerB

Peach Fuzzer generates malformed data for protocol fuzzing.

Why this answer

Option A is correct because Peach Fuzzer is designed for protocol fuzzing. Option B is wrong because Wireshark captures packets. Option C is wrong because Nessus is a vulnerability scanner.

Option D is wrong because John the Ripper cracks passwords.

979
Drag & Dropmedium

Drag and drop the steps to perform privilege escalation on a Linux system using kernel exploit enumeration into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Privilege escalation requires system info gathering, exploit search, compilation, execution, and verification.

980
Multi-Selecthard

A penetration tester is performing a wireless assessment and wants to set up an evil twin attack. Which of the following steps are necessary? (Choose THREE.)

Select 3 answers
A.Create a rogue access point with the same SSID as the target network
B.Configure WPA3 encryption on the rogue AP
C.Use Wireshark to decrypt the traffic
D.Capture the WPA handshake when clients attempt to connect
E.Send deauthentication frames to disconnect clients from the genuine AP
AnswersA, D, E

The evil twin must mimic the legitimate AP.

Why this answer

An evil twin attack involves creating a rogue access point with the same SSID as a legitimate network, deauthenticating clients, and capturing the handshake.

981
Multi-Selecthard

A tester has compromised a Linux server and wants to maintain persistence. Which three actions would be typical for post-exploitation? (Choose three.)

Select 4 answers
A.Change the root password to a known value
B.Install a web shell in the web root directory
C.Disable SELinux
D.Create a new user account with root privileges
E.Add an SSH public key to the root authorized_keys file
AnswersA, B, D, E

Also a common persistence method.

Why this answer

Changing the root password to a known value ensures the tester can regain root access even if the original password is changed or the session is lost. This is a common persistence technique because it directly controls authentication credentials for the most privileged account on the system.

Exam trap

Cisco often tests the distinction between persistence (maintaining access) and defense evasion (hiding or disabling security controls), so candidates mistakenly select disabling SELinux as a persistence action when it is actually a technique to avoid detection or enforcement of policies.

982
MCQmedium

A penetration tester is evaluating the security of a WordPress site. Which tool is specifically designed to scan WordPress installations for vulnerabilities?

A.Nessus
B.WPScan
C.OpenVAS
D.Nikto
AnswerB

WPScan is specifically built for WordPress security assessments.

Why this answer

WPScan is a dedicated WordPress vulnerability scanner that checks for known vulnerabilities in WordPress core, plugins, and themes.

983
MCQeasy

A penetration tester wants to identify live hosts on a large internal network. Which Nmap option would be the FASTEST for initial host discovery?

A.-sV (Version detection)
B.-sS (SYN stealth scan)
C.-sn (Ping sweep)
D.-A (Aggressive scan)
AnswerC

The -sn option uses minimal probes to determine host availability and is the fastest method for host discovery.

Why this answer

The -sn option performs a ping sweep, sending ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default. It does not perform port scanning, making it the fastest method for initial host discovery on a large internal network because it only checks for host availability without enumerating services.

Exam trap

The trap here is that candidates often confuse host discovery with port scanning, assuming that a SYN scan (-sS) is the fastest because it is stealthy, but they overlook that -sn is designed specifically for host discovery and avoids the overhead of port scanning entirely.

How to eliminate wrong answers

Option A is wrong because -sV performs version detection, which requires an open port to be found first and then sends additional probes to determine service versions, making it significantly slower and not suitable for initial host discovery. Option B is wrong because -sS performs a SYN stealth scan, which scans for open ports on each host, requiring multiple packet exchanges per port and per host, which is much slower than a simple ping sweep for just identifying live hosts.

984
MCQhard

A penetration testing firm is engaged to assess a cloud infrastructure hosted in multiple AWS regions. The client specifies that only systems in US-based regions should be tested due to data sovereignty concerns. Which of the following is the MOST critical documentation to include in the rules of engagement (ROE) to ensure compliance?

A.Statement of Work (SOW)
B.List of allowed AWS regions and associated VPC CIDR ranges
C.Data Processing Agreement (DPA)
D.Penetration testing methodology document
AnswerB

This explicitly defines the geographic scope, preventing tests in non-US regions and ensuring compliance with data sovereignty laws.

Why this answer

Option B is correct because the rules of engagement (ROE) must explicitly define the authorized scope to prevent testing outside US-based regions, which could violate data sovereignty laws. Listing allowed AWS regions and their associated VPC CIDR ranges provides a precise technical boundary for the penetration test, ensuring that only in-scope systems are targeted. Without this, the testing team might inadvertently access resources in non-US regions, leading to legal and compliance breaches.

Exam trap

The trap here is that candidates often confuse the SOW (which defines high-level scope) with the ROE (which requires specific technical boundaries like region and CIDR lists), leading them to select Option A instead of the more precise Option B.

How to eliminate wrong answers

Option A is wrong because a Statement of Work (SOW) describes the overall project objectives, deliverables, and timelines, but it does not provide the granular technical scope (e.g., specific AWS regions and IP ranges) required to enforce data sovereignty restrictions during testing. Option C is wrong because a Data Processing Agreement (DPA) governs how personal data is processed and protected between parties, but it does not define the operational boundaries (e.g., which AWS regions or VPCs are permitted) for a penetration test; it is a legal document, not a scoping control.

985
Multi-Selecthard

Which TWO of the following actions are appropriate when handling personally identifiable information (PII) discovered during a penetration test?

Select 2 answers
A.Include raw PII in the report as proof of access
B.Transfer PII to the client's secure storage for inclusion in the report
C.Securely delete any PII that is not required for reporting
D.Redact or mask PII in screenshots and logs before inclusion
E.Anonymize PII by replacing with fake data in the report
AnswersC, D

Minimizes data retention.

Why this answer

Options B and D are correct. PII should not be included in reports; instead, use redacted evidence (B). If PII is accidentally collected, it must be securely deleted (D).

Option A violates protection. Option C is acceptable but not the best practice; redaction is preferred over anonymization when evidence is needed. Option E is incorrect because it transfers risk inappropriately.

986
MCQmedium

During a penetration test, the tester discovers active ransomware on a critical server. Which communication should the tester perform FIRST according to standard rules of engagement?

A.Include it in the final report
B.Immediately notify the client's emergency contact
C.Attempt to contain the ransomware
D.Log the finding and continue testing
AnswerB

The tester should promptly alert the client to allow them to take immediate action to mitigate the active threat.

Why this answer

The standard rules of engagement (ROE) for penetration testing require immediate notification of the client's emergency contact upon discovery of active ransomware. This is because ransomware represents an active, ongoing security incident that demands urgent response to prevent data loss and further spread, overriding the normal testing timeline. The tester must not attempt containment or continue testing, as those actions could interfere with incident response or violate legal boundaries.

Exam trap

CompTIA often tests the misconception that a penetration tester should attempt to contain or remediate active threats, but the correct action is always to notify the client's emergency contact immediately, as testers are observers, not incident responders.

How to eliminate wrong answers

Option A is wrong because including ransomware in the final report delays critical notification, potentially allowing the ransomware to encrypt more data or spread laterally, which violates the ROE requirement for immediate incident reporting. Option C is wrong because the tester lacks authorization and expertise to contain ransomware; attempting containment could destroy forensic evidence, trigger further encryption, or breach legal agreements. Option D is wrong because logging and continuing testing ignores the active threat, risking catastrophic data loss and violating the ethical duty to report imminent harm under the ROE.

987
MCQmedium

A penetration tester is preparing the final report. The client's legal team requests a document that outlines the scope, limitations, and any data handling procedures to comply with regulatory requirements. Which section of the report should include this information?

A.Executive Summary
B.Methodology
C.Scope and Rules of Engagement
D.Technical Findings
AnswerC

This section explicitly states the authorized scope, limitations, and data handling procedures, meeting legal and compliance requirements.

Why this answer

The Scope and Rules of Engagement section is the correct location for documenting the scope, limitations, and data handling procedures because it formally defines the boundaries of the penetration test, including authorized targets, testing windows, and legal constraints. This section ensures compliance with regulatory requirements by specifying how data is collected, stored, and disposed of, which is critical for audits and legal review.

Exam trap

The trap here is that candidates confuse the Executive Summary with a catch-all for legal disclaimers, but the exam expects the precise placement of contractual and compliance details in the Scope and Rules of Engagement section.

How to eliminate wrong answers

Option A is wrong because the Executive Summary provides a high-level overview of findings and risk posture for management, not the detailed legal and procedural boundaries of the engagement. Option B is wrong because the Methodology section describes the technical approach, tools, and techniques used (e.g., NIST SP 800-115 phases), not the contractual scope or data handling policies.

988
Matchingmedium

Match each vulnerability category to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attacker injects malicious SQL queries

Attacker injects client-side scripts into web pages

Attacker tricks user into performing unwanted actions

Writing more data to a buffer than it can hold

Accessing files outside the web root directory

Why these pairings

These are common web application vulnerabilities tested in the PT0-002 exam.

989
MCQmedium

A penetration tester is attempting to exploit a Linux system that has ASLR and DEP enabled. The tester has identified a buffer overflow vulnerability in a network service compiled without stack canaries and with a non-executable stack (NX). The binary is statically linked and not PIE. Which exploitation technique is most likely to succeed under these conditions?

A.Heap spraying to place shellcode in the heap and then overwrite a function pointer to execute the shellcode
B.Return-to-libc attack using libc functions
C.Return-Oriented Programming (ROP) to call mprotect and then execute shellcode on the stack
D.Ret2plt to call system() via the PLT
AnswerC

ROP allows the attacker to chain gadgets to call mprotect and change memory permissions on the stack to executable, then jump to shellcode placed on the stack. This bypasses NX while leveraging the known addresses from the statically linked, non-PIE binary.

Why this answer

Option C is correct because the binary is statically linked (no libc to return to) and has a non-executable stack (NX), so shellcode cannot execute directly on the stack. Return-Oriented Programming (ROP) allows the attacker to chain gadgets from the binary itself to call mprotect() and change the stack region to executable, then pivot to shellcode placed on the stack. Since ASLR is enabled but the binary is not PIE, its code base address is fixed, making ROP gadgets reliably addressable.

Exam trap

The trap here is that candidates assume return-to-libc is always viable, forgetting that a statically linked binary has no libc to return to, making ROP the only way to call mprotect and bypass NX.

How to eliminate wrong answers

Option A is wrong because heap spraying is typically used to increase the predictability of heap layout for a use-after-free or similar vulnerability, but here the vulnerability is a stack-based buffer overflow; overwriting a function pointer would require a separate write primitive and does not bypass NX on the stack. Option B is wrong because return-to-libc relies on libc functions being present at a known address, but the binary is statically linked, meaning no shared libc is loaded, and ASLR would randomize libc's base address even if it were dynamically linked.

990
MCQmedium

A penetration tester wants to identify hosts on a network that are running web servers on any TCP port, including non-standard ports. Which Nmap command is most efficient for this task?

A.nmap -sV -p- target
B.nmap -sC -p 80,443 target
C.nmap -O -p- target
D.nmap -sT -p 8000,8080 target
AnswerA

This scans all TCP ports and performs service detection, making it possible to identify web servers running on any port.

Why this answer

Option A is correct because `-sV` enables version detection to identify web server software, and `-p-` scans all 65535 TCP ports, including non-standard ones. This combination efficiently discovers web servers on any port without unnecessary overhead like OS detection or default script scanning.

Exam trap

The trap here is that candidates often choose `-sC` (default scripts) thinking it checks for web servers, but it only runs on the specified ports and doesn't detect services on non-standard ports.

How to eliminate wrong answers

Option B is wrong because `-sC` runs default scripts but only scans ports 80 and 443, missing non-standard ports. Option C is wrong because `-O` performs OS detection, which is irrelevant for identifying web servers, and `-p-` alone doesn't enable service detection. Option D is wrong because `-sT` is a full TCP connect scan limited to ports 8000 and 8080, ignoring the vast majority of potential web server ports.

991
MCQeasy

In the context of OSINT, which resource would you use to find historical versions of a company's website that may reveal outdated information or hidden directories?

A.crt.sh
B.Censys
C.Shodan
D.Wayback Machine
AnswerD

The Wayback Machine archives historical versions of web pages.

Why this answer

The Wayback Machine (archive.org) is the correct resource because it archives historical snapshots of websites, allowing you to view past versions that may contain outdated information, hidden directories, or old configurations no longer present on the live site. This is a core OSINT technique for discovering legacy content or forgotten endpoints.

Exam trap

The trap here is that candidates confuse OSINT tools focused on current infrastructure (Shodan, Censys) or certificate data (crt.sh) with the only tool that provides historical web content snapshots, the Wayback Machine.

How to eliminate wrong answers

Option A is wrong because crt.sh is a certificate transparency log search tool that retrieves SSL/TLS certificates issued for domains, not historical website content or directory structures. Option B is wrong because Censys is a search engine for internet-connected devices and certificates, focusing on current network exposure and services, not archived web pages. Option C is wrong because Shodan is a search engine for internet-connected devices (e.g., IoT, servers, routers) and their banners, not for browsing historical versions of a website.

992
Multi-Selectmedium

A penetration tester is preparing the executive summary. Which THREE elements should be included? (Choose three.)

Select 3 answers
A.Key findings summary
B.Detailed exploit steps for each vulnerability
C.Strategic recommendations
D.Overall risk rating
E.Description of the testing methodology
AnswersA, C, D

Highlights important issues.

Why this answer

Executive summary should include overall risk rating, key findings, and strategic recommendations. Technical details and methodology are not appropriate for this section.

993
MCQhard

During an internal penetration test, a tester captures an NTLMv2 hash of a domain admin account using a Responder attack. The organization's password policy requires at least 12 characters with uppercase, lowercase, numbers, and special characters. Which password cracking technique is most likely to succeed first?

A.Dictionary attack with common passwords
B.Brute-force attack with all possible 8-character combinations
C.Hybrid attack combining dictionary words with numbers and special characters
D.Rainbow table attack on the hash
AnswerC

This approach uses word mangling and is effective for passwords that are variations of common words.

Why this answer

Option C is correct because NTLMv2 hashes are computationally expensive to crack, and a hybrid attack that combines dictionary words with numbers and special characters is the most efficient approach given the 12-character minimum policy. This technique leverages common password patterns (e.g., 'Password123!') that users often create to meet complexity requirements, making it faster than brute-forcing all possible 12-character combinations.

Exam trap

The trap here is that candidates may assume a brute-force attack is always the most thorough method, but they overlook the time constraints of cracking 12-character hashes, making hybrid attacks the practical first choice.

How to eliminate wrong answers

Option A is wrong because a dictionary attack with common passwords is unlikely to succeed against a 12-character minimum policy, as users are forced to create longer, more complex passwords that rarely appear in standard wordlists. Option B is wrong because a brute-force attack with all possible 8-character combinations would fail to crack a 12-character password, as it only covers 8-character space and would never reach the required length.

Page 13

Page 14 of 14

CompTIA PenTest+ PT0-002 PT0-002 Questions 976–993 | Page 14/14 | Courseiva