CompTIA PenTest+ PT0-002 (PT0-002) — Questions 151225

509 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQmedium

A penetration tester is exploiting a web application that stores session tokens in HTTP cookies without the HttpOnly flag. Which attack is most likely to succeed?

A.SQL injection
B.Session hijacking through cross-site scripting
C.Cross-site request forgery
D.Server-side request forgery
AnswerB

XSS can read cookie values if HttpOnly is not set, allowing session theft.

Why this answer

The absence of the HttpOnly flag on session cookies allows client-side scripts (e.g., JavaScript) to access the cookie. An attacker can exploit a cross-site scripting (XSS) vulnerability to execute arbitrary JavaScript in the victim's browser, which then reads the session cookie and sends it to the attacker. This enables session hijacking without needing to guess or brute-force the token.

Exam trap

The trap here is that candidates often confuse session hijacking via XSS with CSRF, but CSRF does not steal the token—it only abuses the existing authenticated session to perform actions.

How to eliminate wrong answers

Option A is wrong because SQL injection targets the database layer by manipulating SQL queries, not the client-side storage of session tokens. Option C is wrong because cross-site request forgery (CSRF) forces the victim to perform unintended actions using their existing session, but it does not steal the session token itself. Option D is wrong because server-side request forgery (SSRF) tricks the server into making internal requests, not stealing client-side cookies.

152
MCQmedium

Refer to the exhibit. A penetration tester performed a port scan and collected the information shown. Which vulnerability is most likely present based on the software versions?

A.Sendmail remote code execution
B.OpenSSH user enumeration
C.Apache HTTP Server directory traversal
D.PHP CGI argument injection (CVE-2019-11043)
AnswerD

PHP 7.2.24 is vulnerable to CVE-2019-11043 which allows remote code execution via specially crafted paths.

Why this answer

The exhibit shows Apache/2.4.39 with PHP 7.3.9, which is vulnerable to CVE-2019-11043, a PHP CGI argument injection flaw. This vulnerability allows an attacker to send specially crafted query strings to a PHP-FPM server via the `PATH_INFO` parameter, leading to remote code execution. The specific software versions match the known affected range (PHP 7.3.x before 7.3.11 and Apache with mod_proxy_fcgi).

Exam trap

The trap here is that candidates see 'Apache' and 'PHP' and immediately think of directory traversal (Option C), but the specific version numbers (Apache 2.4.39, PHP 7.3.9) are the key to identifying the PHP CGI argument injection vulnerability, not a generic Apache flaw.

How to eliminate wrong answers

Option A is wrong because Sendmail remote code execution typically targets older Sendmail versions (e.g., 8.x) and is not directly associated with Apache or PHP version indicators from a port scan. Option B is wrong because OpenSSH user enumeration exploits timing differences in SSH authentication, which requires SSH service banners (port 22), not HTTP server headers. Option C is wrong because Apache HTTP Server directory traversal vulnerabilities (e.g., CVE-2021-41773) affect Apache 2.4.49 or 2.4.50, not the 2.4.39 version shown in the exhibit.

153
MCQmedium

A penetration tester is performing reconnaissance on a target organization. The tester wants to discover the internal IP address scheme used by the company without making any direct connections to the company's network. Which technique is MOST effective for this purpose?

A.DNS zone transfer
B.WHOIS lookup
C.Analyzing job postings for technical requirements
D.Using Shodan to find exposed devices
AnswerC

Job ads often list specific technologies, IP ranges, or infrastructure details inadvertently.

Why this answer

Analyzing job postings for technical requirements is the most effective technique because it allows the tester to infer the internal IP address scheme without making any direct connections to the target network. Job postings often list specific technical skills, such as experience with certain subnet masks (e.g., /24, /16) or network ranges (e.g., 10.x.x.x, 192.168.x.x), which can reveal the internal addressing structure used by the organization. This passive reconnaissance method relies on publicly available information, avoiding any network traffic that could trigger detection.

Exam trap

The trap here is that candidates often assume DNS zone transfer (Option A) is the best passive technique, but they overlook that it requires an active query and is rarely successful due to security controls, while job postings are a truly passive and often overlooked source of internal network information.

How to eliminate wrong answers

Option A is wrong because DNS zone transfer requires a direct connection to the target's DNS server and is typically disabled for security reasons (e.g., via allow-transfer restrictions), making it unreliable and not passive. Option B is wrong because WHOIS lookup provides registration details like domain ownership and contact information, but it does not disclose internal IP address schemes or subnetting practices.

154
MCQeasy

Which of the following metrics is most useful for demonstrating the overall security posture improvement after remediation in a penetration test report?

A.Total hours spent testing
B.The size of the attack surface
C.Total number of vulnerabilities found
D.Number of critical vulnerabilities before and after remediation
AnswerD

Directly measures improvement.

Why this answer

Option D is correct because comparing the number of critical vulnerabilities before and after remediation provides a clear metric for improvement. Option A (vulnerabilities found) does not show change. Option B (test duration) is irrelevant.

Option C (attack surface) is not directly measurable in a single test.

155
MCQeasy

A penetration tester is analyzing a Bash script used for post-exploitation enumeration. The script contains the line: `cat /etc/shadow | awk -F: '{print $1, $2}'`. What is the primary purpose of this command?

A.Display all usernames and their associated password hashes
B.Show the number of users in the system
C.Extract the usernames and home directories
D.List the account expiration dates
AnswerA

Correct. The command reads /etc/shadow and outputs each username and its password hash.

Why this answer

The command `cat /etc/shadow | awk -F: '{print $1, $2}'` reads the shadow file, which stores user account information including password hashes. The `-F:` sets the field separator to colon, and `{print $1, $2}` outputs the first field (username) and second field (password hash). This is a common post-exploitation technique to extract password hashes for offline cracking.

Exam trap

The trap here is that candidates may confuse `/etc/shadow` with `/etc/passwd`, which stores user metadata like home directories, leading them to incorrectly select option C instead of recognizing the hash extraction purpose.

How to eliminate wrong answers

Option B is wrong because counting users would require a different command, such as `wc -l` to count lines, not printing specific fields. Option C is wrong because home directories are stored in `/etc/passwd` (typically field 6), not in `/etc/shadow`, and this command only accesses the shadow file.

156
MCQeasy

During a penetration test of a corporate network, you discover a Linux server running a custom Python application that handles authentication for a web portal. The server is configured to allow SSH access only from a specific management subnet. You have obtained a limited shell on a different host within the same VLAN as the target server. From your limited shell, you can reach the target server on TCP port 22, but you do not have valid credentials. The Python authentication script uses a flat file database to store user credentials in the format 'username:hashed_password'. You suspect the script has a vulnerability that allows reading arbitrary files, such as the password file. Which of the following actions should you take to exploit this vulnerability?

A.Use Wireshark on the limited shell to capture SSH traffic and extract credentials
B.Perform a port knocking sequence to open SSH access to the target server
C.Craft an HTTP request to the web portal's authentication script with a path traversal payload to read the password file
D.Use Hydra to brute-force SSH credentials from the limited shell because it is on the same VLAN
AnswerC

If the script is vulnerable to path traversal, you can read the password file and crack hashes.

Why this answer

Option C is correct because a path traversal vulnerability in the authentication script can be used to read arbitrary files, including the password file, allowing you to extract hashes. Option A is wrong because brute-forcing SSH without knowing the management subnet source is unlikely to succeed and may be blocked. Option B is wrong because port knocking is not indicated in the scenario.

Option D is wrong because Wireshark is not available from the limited shell and would require local privilege escalation.

157
MCQeasy

A penetration tester wants to quickly identify the listening services on a target Linux server without performing a full port scan. The tester has obtained an unauthenticated shell as a low-privileged user. Which built-in command is most likely available on a modern Linux distribution to list all listening TCP sockets?

A.netstat -tlnp
B.ss -tlnp
C.lsof -i
D.ifconfig -a
AnswerB

ss is part of iproute2 and is commonly pre-installed; -t shows TCP, -l listening, -n numeric, -p shows process (if permitted).

Why this answer

Option B is correct because `ss -tlnp` is the modern replacement for `netstat` on Linux distributions that have deprecated `netstat` (e.g., RHEL 7+, Ubuntu 16.04+). It uses the `netlink` interface to read socket information directly from the kernel, making it faster and more reliable than parsing `/proc/net/tcp`. The flags `-t` (TCP), `-l` (listening), `-n` (numeric addresses/ports), and `-p` (show process) precisely list all listening TCP sockets without requiring root privileges for basic socket listing.

Exam trap

The trap here is that candidates assume `netstat` is universally available on Linux, but the PT0-002 exam tests awareness of modern tooling deprecation, where `ss` is the default built-in command on distributions like CentOS 7+ and Ubuntu 16.04+.

How to eliminate wrong answers

Option A is wrong because `netstat -tlnp` is not guaranteed to be available on modern Linux distributions; it is often deprecated or requires installation of the `net-tools` package, which is not installed by default on many minimal or containerized environments. Option C is wrong because `lsof -i` is not a built-in command on most Linux distributions; it must be installed separately via the `lsof` package, and it does not filter exclusively to listening TCP sockets without additional flags like `-sTCP:LISTEN`.

158
MCQhard

A 'no-fail' clause prohibits service outages. How should the tester address high-risk tests like SQL injection?

A.Remove all high-risk tests from the scope
B.Require a staging environment for testing
C.Include a clause that the tester is not liable
D.Proceed with testing and hope no outages occur
AnswerB

Eliminates risk to production.

Why this answer

Option B is correct because testing in a staging environment prevents real outages. Option A is wrong because it removes important tests. Option C is wrong because it does not prevent outages.

Option D is wrong because it is irresponsible.

159
MCQmedium

A tester runs a Python script to perform a directory traversal attack. The output shows: 'Error: 403 Forbidden'. What is the most likely cause?

A.The script lacks authentication
B.The file does not exist
C.The request is malformed
D.The web server is patched against traversal attacks
AnswerD

A 403 Forbidden suggests the server rejected the malicious path.

Why this answer

Option A is correct because a 403 error indicates the server is blocking the request, likely due to proper input validation. Option B is wrong because if the file doesn't exist, a 404 would occur. Option C is wrong because the request is syntactically correct.

Option D is wrong because authentication is not shown; the error is forbidden, not unauthorized.

160
MCQmedium

A client is planning a penetration test of their internal network but refuses to provide network diagrams or access to a staging environment. The tester is concerned about causing a denial of service (DoS) on critical systems. Which clause should be included in the rules of engagement to mitigate this risk?

A.A clause requiring the client to provide a complete list of in-scope IP addresses.
B.A waiver stating that any service disruption is the client's responsibility.
C.A rate-limiting clause that restricts scan speed and concurrent connections.
D.An exclusion list for systems that should not be tested.
AnswerC

Rate limiting is a proactive measure that reduces the chance of overwhelming network devices or services, even when the tester lacks full network visibility.

Why this answer

Option C is correct because a rate-limiting clause directly addresses the risk of causing a denial of service (DoS) by controlling the speed and concurrency of the penetration test. By restricting scan rates (e.g., using tools like Nmap with `--max-rate` or `--min-hostgroup`) and limiting concurrent connections, the tester can prevent overwhelming critical systems, even without network diagrams or a staging environment. This clause mitigates the risk without requiring the client to provide additional information or shifting liability.

Exam trap

The trap here is that candidates may choose Option A (list of IPs) thinking it reduces risk by narrowing scope, but they overlook that aggressive scanning of even a small IP list can still cause DoS, while rate-limiting directly controls the traffic intensity.

How to eliminate wrong answers

Option A is wrong because requiring a complete list of in-scope IP addresses does not prevent DoS; it only clarifies the target scope, but the tester could still cause a DoS by scanning those IPs too aggressively. Option B is wrong because a waiver stating that any service disruption is the client's responsibility does not mitigate the risk; it merely transfers liability, which is unethical and may violate the testing agreement, and does not prevent the actual DoS from occurring.

161
Multi-Selectmedium

Which TWO of the following are valid uses of the 'socat' tool during a penetration test? (Select TWO.)

Select 2 answers
A.Extracting files from an FTP server
B.Forwarding TCP ports to pivot through a compromised host
C.Performing a man-in-the-middle attack on HTTPS
D.Creating a reverse shell listener
E.Brute-forcing HTTP form authentication
AnswersB, D

Socat can create a relay to forward traffic, useful for pivoting.

Why this answer

Socat can be used to create a reverse shell (option A) and to forward ports (option D). It is not typically used for HTTP content discovery (B) or file extraction (C); those are better done with curl or wget. It can also be used for MITM but option E is incorrect as socat does not inherently perform MITM.

162
MCQeasy

A penetration tester is writing the executive summary for the final report. The CEO needs to understand the overall risk level and the business impact of the findings. Which of the following should be included in the executive summary?

A.A high-level overview of the most critical vulnerabilities and their potential business impact.
B.Detailed exploit steps with screenshots.
C.A list of all CVSS scores without context.
D.The exact commands used during testing.
AnswerA

This matches the purpose of the executive summary: concise, business-focused information that allows leadership to make informed decisions without needing technical expertise.

Why this answer

The executive summary is intended for non-technical stakeholders like the CEO, who need to grasp the overall risk posture and business implications without technical jargon. Option A provides a high-level overview of critical vulnerabilities and their potential business impact, directly addressing the CEO's need to understand risk level and business impact, which aligns with the PT0-002 objective for effective reporting and communication.

Exam trap

The trap here is that candidates often confuse the executive summary with a technical summary, choosing options with detailed exploit steps or raw CVSS scores, forgetting that the CEO needs a business-focused, non-technical overview of risk and impact.

How to eliminate wrong answers

Option B is wrong because detailed exploit steps with screenshots are too technical and granular for an executive summary; they belong in the technical findings section of the report, not in a high-level overview for a CEO. Option C is wrong because listing all CVSS scores without context fails to convey the business impact or risk level; CVSS scores alone do not explain how vulnerabilities affect business operations, compliance, or strategic goals, which is essential for executive decision-making.

163
MCQeasy

Refer to the exhibit. A penetration tester sends the request and receives the response shown. Which vulnerability is confirmed?

A.Server-side request forgery
B.Cross-site request forgery
C.SQL injection
D.Reflected cross-site scripting
AnswerD

The input is echoed back in the HTML without sanitization, allowing script execution.

Why this answer

The response includes the parameter value 'John' reflected directly in the HTML body without sanitization or encoding, and the request uses an HTTP GET method. This confirms a reflected cross-site scripting (XSS) vulnerability, as the tester can inject arbitrary JavaScript by modifying the 'name' parameter, which will execute in the victim's browser.

Exam trap

The trap here is that candidates may confuse reflected XSS with stored XSS or CSRF, but the key indicator is that the input appears only in the response to that specific request (reflected), not stored on the server, and the GET method with no state change rules out CSRF.

How to eliminate wrong answers

Option A is wrong because server-side request forgery (SSRF) involves the server making requests to internal resources based on user input, but the response shows the input reflected in the page, not a server-side request. Option B is wrong because cross-site request forgery (CSRF) requires a forged request that changes state (e.g., via POST), but the request shown is a simple GET with no state-changing action, and the response reflects input without requiring a session token. Option C is wrong because SQL injection would cause database errors or altered data in the response, but the response simply echoes the input 'John' without any SQL syntax or error messages.

164
MCQmedium

Refer to the exhibit. A penetration tester performed an initial nmap scan and recorded the above output. The tester wants to include this in the report. What additional information should the tester add to make the finding more useful for remediation?

A.The version of services running on each port.
B.The list of open ports only.
C.The operating system of each host.
D.The result of a UDP scan for these ports.
AnswerA

Service versions help identify known vulnerabilities.

Why this answer

Option C is correct because service version information is critical for identifying vulnerable versions. Option A is wrong because open ports are already shown. Option B is wrong because OS detection is not always reliable and not shown here.

Option D is wrong because UDP scan results are not shown.

165
MCQeasy

A penetration tester is reviewing a Python script that automates a common network attack. The script imports the 'ftplib' and 'telnetlib' libraries. It reads a list of IP addresses from a file and, for each host, attempts to connect using a predefined username and password. If the connection succeeds, it logs the success. Which attack is the script most likely performing?

A.Brute-force attack against FTP and Telnet services
B.Vulnerability scanning for open ports
C.Password spraying attack against web applications
D.Service enumeration using banner grabbing
AnswerA

The script uses FTP and Telnet libraries to attempt connections with a known username and password, which is a brute-force attack against those services.

Why this answer

The script uses 'ftplib' and 'telnetlib' to attempt connections with a predefined username and password against multiple IP addresses. This is characteristic of a brute-force attack, where the attacker tries a single credential pair against many hosts to gain unauthorized access to FTP and Telnet services.

Exam trap

The trap here is confusing a brute-force attack (single credential against many hosts) with a password spraying attack (many usernames against a single host), leading candidates to incorrectly select option C when the script's logic clearly targets multiple hosts with one credential pair.

How to eliminate wrong answers

Option B is wrong because vulnerability scanning for open ports typically uses tools like Nmap or libraries like 'socket' to check for open ports, not 'ftplib' or 'telnetlib' for authenticated login attempts. Option C is wrong because password spraying attacks target web applications (often via HTTP/S) with many usernames and a few common passwords, whereas this script uses a single predefined username/password against multiple hosts, which is a classic brute-force pattern against network services, not web apps.

166
MCQmedium

A client hires a penetration testing firm to assess a web application that integrates with a third-party API for payment processing. The client wants to include the API endpoint in the test scope. What should the penetration tester do FIRST to ensure the test is conducted ethically and legally?

A.Assume the client has already obtained permission from the API provider
B.Obtain written authorization from the third-party API provider
C.Rely on the client's statement that the API is within scope
D.Test only the client's application code and ignore the API
AnswerB

Formal permission from the API owner is necessary to avoid legal repercussions.

Why this answer

Option B is correct because the penetration tester must obtain explicit written authorization from the third-party API provider before testing. Without this, testing the API endpoint could violate the Computer Fraud and Abuse Act (CFAA) or similar laws, as the tester would be accessing a system they do not own or have contractual permission to test. The client's scope inclusion does not grant legal access to the third-party's infrastructure.

Exam trap

The trap here is that candidates assume the client's scope definition automatically covers third-party systems, but the exam tests the legal and ethical requirement to obtain explicit permission from the actual owner of the target system.

How to eliminate wrong answers

Option A is wrong because assuming the client has obtained permission is a dangerous assumption that could lead to unauthorized access and legal liability; the tester must independently verify authorization. Option C is wrong because relying solely on the client's statement that the API is in scope ignores the fact that the client cannot grant permission for a third-party system; the tester needs direct authorization from the API provider.

167
MCQeasy

Which tool is best for performing static analysis of Python code to find security vulnerabilities?

A.sqlmap
B.nmap
C.Bandit
D.Metasploit
AnswerC

Bandit scans Python code for common security issues.

Why this answer

Option A is correct because Bandit is a Python security linter. Option B is wrong because nmap is for network scanning. Option C is wrong because Metasploit is an exploitation framework.

Option D is wrong because sqlmap is for SQL injection testing.

168
MCQmedium

A penetration tester is performing active reconnaissance on a target network. The tester sends TCP SYN packets to a range of ports on a target host. Only a few ports respond with SYN-ACK packets. What does this indicate?

A.The host is protected by a firewall that drops all packets.
B.The ports that responded with SYN-ACK are open.
C.The host is running a stealthy IDS.
D.The network is using IPv6.
AnswerB

A SYN-ACK reply indicates that the port is open and the target is willing to establish a connection.

Why this answer

The TCP three-way handshake begins with a SYN packet; a SYN-ACK response indicates that the target port received the SYN and is willing to establish a connection, meaning the port is open and listening. Only ports that respond with SYN-ACK are confirmed open, while others may be closed or filtered, but the presence of any SYN-ACK replies directly indicates open ports.

Exam trap

The trap here is confusing the absence of a response (filtered) with a firewall dropping all packets, but the presence of any SYN-ACK replies proves that not all packets are dropped, and the correct interpretation is that responding ports are open.

How to eliminate wrong answers

Option A is wrong because a firewall that drops all packets would cause no SYN-ACK responses at all, not just a few; the tester received SYN-ACK replies, so packets are not being universally dropped. Option C is wrong because a stealthy IDS (Intrusion Detection System) monitors traffic and may generate alerts but does not alter TCP handshake responses; the SYN-ACK replies are a network-layer behavior from the target host, not an IDS action.

169
MCQmedium

Refer to the exhibit. A penetration tester has run an initial reconnaissance scan and obtained the above output. The tester needs to decide which attack vector to prioritize based on the principle of exploiting the oldest software version. Which of the following is the most appropriate next step?

A.Exploit the MySQL service using default credentials
B.Launch a brute-force attack against SSH
C.Attempt to exploit the Remote Desktop Protocol (RDP) service
D.Perform a vulnerability scan on the web applications
AnswerB

OpenSSH 6.6 is old and vulnerable; brute-force is a common vector for SSH.

Why this answer

The SSH service is running OpenSSH 6.6, which is relatively old and known to have several vulnerabilities that can be exploited via brute-force or remote code execution. Therefore, launching a brute-force attack against SSH is prioritized. The MySQL version (5.1.73) is also old but less likely to be directly exploitable without credentials.

The web server version is not listed but Apache 2.4.29 is newer. RDP is a common target but no version indicator suggests it's old.

170
MCQeasy

A client wants to perform a penetration test on a new web application that is still in development. The application is not yet connected to the internet. Which of the following is the most appropriate scope for this test?

A.External network penetration test
B.Internal network penetration test
C.Web application vulnerability assessment
D.Social engineering campaign
AnswerC

This type of assessment is designed to find vulnerabilities in web applications, regardless of network location.

Why this answer

The application is not yet connected to the internet, so an external network penetration test (which targets internet-facing assets) is irrelevant. An internal network penetration test focuses on the internal LAN infrastructure, not the application itself. A web application vulnerability assessment is the correct scope because it directly examines the application's code, logic, and configurations for flaws such as SQL injection, XSS, and authentication bypasses, regardless of network connectivity.

Exam trap

The trap here is confusing the type of test with the network environment: candidates often assume an 'internal' test is always appropriate for any non-internet asset, but the scope must match the target's technology (web application vs. network infrastructure).

How to eliminate wrong answers

Option A is wrong because an external network penetration test requires the target to be reachable over the internet, but the application is not connected to the internet, making this scope impossible. Option B is wrong because an internal network penetration test targets network-level vulnerabilities (e.g., ARP spoofing, SMB relay) and does not focus on the web application's specific vulnerabilities, which is the client's stated need.

171
MCQmedium

A penetration tester is analyzing a Python script used for web application testing. The script imports the 'socket' module and uses it to create a raw socket. Which of the following is the most likely purpose of the script?

A.Creating a reverse shell payload
B.Sending crafted TCP packets to perform a SYN flood
C.Parsing HTTP responses for header injection
D.Automating user-agent rotation for web requests
AnswerB

Raw sockets enable the construction of custom TCP packets with arbitrary flags, essential for a SYN flood attack where the attacker sends SYN packets without completing the handshake.

Why this answer

The 'socket' module in Python provides low-level networking interfaces, and creating a raw socket (using `socket.SOCK_RAW`) allows the script to craft and send custom packets at the IP layer. A SYN flood attack involves sending a high volume of TCP SYN packets with spoofed source IP addresses to exhaust a target's resources, which requires raw socket access to manipulate packet headers. Therefore, the most likely purpose of the script is sending crafted TCP packets to perform a SYN flood.

Exam trap

The trap here is that candidates may associate the 'socket' module only with standard TCP/UDP connections (like reverse shells) and overlook that raw sockets are specifically required for crafting custom packets in attacks like SYN floods, which operate at a lower network layer.

How to eliminate wrong answers

Option A is wrong because creating a reverse shell payload typically involves establishing a TCP connection (using `socket.SOCK_STREAM`) to a remote host, not raw sockets, and often uses higher-level libraries like `subprocess` or `pty` for shell interaction. Option C is wrong because parsing HTTP responses for header injection is an application-layer task that can be done with libraries like `requests` or `http.client`, and does not require raw socket manipulation at the network layer.

172
MCQhard

A penetration tester is analyzing a PowerShell script used during an internal test. The script contains the following code block: ```powershell $cred = Get-Credential $session = New-PSSession -ComputerName 'Server01' -Credential $cred Invoke-Command -Session $session -ScriptBlock { Get-ChildItem C:\Secrets.txt } Remove-PSSession $session ``` What is the primary purpose of this script?

A.To perform a local privilege escalation using stored credentials
B.To achieve lateral movement and access a file on a remote server
C.To brute-force the password of the user account via 'Get-Credential'
D.To execute a script from the remote server using the ScriptBlock
AnswerB

The script establishes a remote session to 'Server01' and executes a command to list a file, demonstrating lateral movement.

Why this answer

The script uses Get-Credential to obtain user credentials, creates a remote PowerShell session (PSSession) to Server01 via New-PSSession, and then executes Get-ChildItem C:\Secrets.txt on that remote server using Invoke-Command. This is the classic pattern for lateral movement: authenticating to a remote host and accessing a file stored there, not performing any local privilege escalation or password brute-forcing.

Exam trap

The trap here is that candidates may confuse the use of Get-Credential with a brute-force attack, or misinterpret the remote file access as a local privilege escalation, when the script's clear intent is lateral movement via PowerShell remoting.

How to eliminate wrong answers

Option A is wrong because the script does not attempt any local privilege escalation; it uses supplied credentials to connect to a remote server, not to elevate privileges on the local machine. Option C is wrong because Get-Credential simply prompts for or retrieves stored credentials; it does not perform any brute-force attack against a user account's password.

173
MCQeasy

A penetration tester is analyzing a Bash script that contains the following line: 'for ip in $(cat ip_list.txt); do nc -zv $ip 22; done'. What is the primary purpose of this script?

A.To perform a banner grab on port 22 for each IP
B.To test if port 22 is open on each IP in the list
C.To establish a remote shell connection to each IP on port 22
D.To scan all 65535 ports on each IP in the list
AnswerB

The '-z' flag makes netcat report whether the port is open by checking the TCP handshake without sending data.

Why this answer

The script uses `nc -zv $ip 22` which performs a TCP connection test to port 22 on each IP from the list. The `-z` flag tells netcat to scan without sending any data, and `-v` enables verbose output, so it only reports whether the connection succeeded (port open) or failed (port closed or filtered). This is a classic port connectivity check, not a full banner grab or shell establishment.

Exam trap

The trap here is that candidates confuse `-z` (zero I/O scan) with banner grabbing or interactive shell access, assuming netcat always reads banners or spawns shells, when in fact `-z` explicitly prevents data transfer.

How to eliminate wrong answers

Option A is wrong because `nc -zv` does not perform a banner grab; banner grabbing requires `-v` alone or a timeout with data exchange (e.g., `echo | nc -w 3 $ip 22`), and `-z` explicitly avoids sending data. Option C is wrong because `nc -zv` only tests connectivity; establishing a remote shell would require `-e` (if compiled with GAPING_SECURITY_HOLE) or a reverse shell payload, which is absent. Option D is wrong because the script only targets port 22, not all 65535 ports; a full port scan would require a loop over port numbers or a tool like `nmap -p-`.

174
MCQeasy

A penetration tester is preparing the executive summary for a report. Which of the following metrics would be MOST valuable to include for non-technical stakeholders to understand the overall security posture?

A.A list of all tools used during the penetration test
B.The total number of vulnerabilities discovered and their average CVSS score
C.The number of critical and high-risk findings along with the average time to exploit them
D.A detailed step-by-step exploitation walkthrough of one critical vulnerability
AnswerC

This gives executives a clear, non-technical view of the most pressing issues and how quickly an attacker could take advantage of them.

Why this answer

Option C is correct because non-technical stakeholders (e.g., executives) need a high-level, risk-focused summary that communicates the severity and urgency of findings. The number of critical/high-risk findings directly indicates the most dangerous exposures, and the average time to exploit them conveys how quickly an attacker could compromise the environment. This metric translates technical risk into business impact, which is the core goal of an executive summary.

Exam trap

The trap here is that candidates often choose Option B (total vulnerabilities and average CVSS score) because CVSS is a familiar metric, but the exam tests the understanding that non-technical stakeholders need actionable, prioritized risk data (critical/high count and exploit time) rather than a statistically averaged score that can obscure severe findings.

How to eliminate wrong answers

Option A is wrong because listing all tools used (e.g., Nmap, Burp Suite, Metasploit) provides no insight into the security posture; it is operational detail irrelevant to non-technical stakeholders. Option B is wrong because the total number of vulnerabilities and their average CVSS score can be misleading—a low average CVSS score may hide many critical findings, and non-technical stakeholders need prioritization, not a diluted average. Option D is wrong because a detailed step-by-step exploitation walkthrough is too technical and granular for an executive summary; it belongs in the technical report, not in a high-level communication for non-technical readers.

175
MCQmedium

A penetration tester needs to escalate privileges on a Linux target after gaining initial shell access. The /etc/passwd file shows a user 'jake' with UID 0. What does this indicate?

A.The user 'jake' is a normal user with UID misconfiguration
B.The user 'jake' is a member of the root group
C.The user 'jake' has the same privileges as root
D.There is a duplicate user 'jake' and 'root'
AnswerC

A UID of 0 means the account is the superuser, regardless of username.

Why this answer

In Linux, a UID (User ID) of 0 is reserved exclusively for the root superuser. When the /etc/passwd file shows a user 'jake' with UID 0, the system treats 'jake' with the same privileges as root, regardless of the username. This is because the kernel checks the UID, not the username, for permission decisions.

Therefore, 'jake' has full root-level access, making option C correct.

Exam trap

The trap here is that candidates confuse UID 0 with group membership (GID 0) or assume it's a misconfiguration, when in fact the UID field in /etc/passwd directly determines superuser status, not the username or group.

How to eliminate wrong answers

Option A is wrong because a UID of 0 is not a misconfiguration; it is the defined superuser identifier per POSIX standards, so 'jake' is not a normal user but has root privileges. Option B is wrong because group membership (e.g., being in the root group with GID 0) does not grant root privileges; only UID 0 confers superuser authority, and the /etc/passwd entry shows UID, not group membership. Option D is wrong because there is no duplicate user; 'jake' and 'root' are separate usernames, but both have UID 0, meaning they share the same superuser identity—this is not a duplicate account but a security concern.

176
MCQhard

A medium-sized e-commerce company, CyberMart, has contracted your penetration testing firm to assess their security posture. The company operates from three physical locations: headquarters, a data center, and a remote warehouse. They have a flat internal network but separate VLANs for production, development, and guest Wi-Fi. CyberMart's CISO insists that the test must be conducted without causing any disruption to the production environment, especially the payment processing system. The test should simulate an external attacker targeting the public-facing web servers and an internal attacker who has gained initial access to the guest network. The CISO also requests that all testing be done during off-peak hours to minimize impact. You are preparing the rules of engagement. Which of the following is the most appropriate action to include in the ROE to satisfy the client's requirements while maintaining a realistic test scenario?

A.Include all VLANs but with explicit permission to conduct denial-of-service tests only during off-peak hours.
B.Allow testing on all VLANs except the production VLAN containing payment processing, with a rule to immediately stop if any degradation is observed.
C.Focus exclusively on the external web servers and exclude internal network testing due to the risk of disruption.
D.Restrict testing to only the guest network and external IPs, excluding all production VLANs.
AnswerB

This covers the required scenarios while protecting critical systems.

Why this answer

Option C allows testing on all VLANs except the critical production VLAN with payment processing, and includes a stop condition if degradation is observed. This balances realism (testing internal segmentation from guest network) with safety (protecting payment systems). Option A is too restrictive and does not test internal movement from guest network.

Option B includes denial-of-service tests which are explicitly not allowed due to disruption. Option D ignores the internal testing requirement entirely.

177
MCQmedium

A penetration testing firm is hired to perform a test on a multinational company that has offices in Europe and North America. The client wants to test all systems including those in the European office, which is subject to GDPR. Which of the following is the MOST important legal consideration to include in the rules of engagement?

A.A limitation of liability clause
B.Data protection and privacy clauses addressing handling of personal data
C.A non-disclosure agreement
D.A schedule of testing hours
AnswerB

This directly addresses GDPR requirements, specifying how personal data will be protected during the penetration test.

Why this answer

The engagement involves testing systems in a European office subject to GDPR, which imposes strict requirements on the processing and protection of personal data. The rules of engagement must include data protection and privacy clauses to define how the penetration tester will handle any personal data encountered during the test, ensuring compliance with GDPR Article 5 (lawfulness, fairness, transparency) and Article 32 (security of processing). Without these clauses, the tester could inadvertently violate GDPR by collecting or storing personal data without a lawful basis, exposing both the client and the testing firm to significant fines.

Exam trap

The trap here is that candidates often choose a non-disclosure agreement (NDA) as the most important legal consideration, confusing general confidentiality with the specific data protection obligations required by GDPR, which are distinct and more prescriptive.

How to eliminate wrong answers

Option A is wrong because a limitation of liability clause is a standard contractual provision that caps financial damages, but it does not address the specific GDPR compliance requirements for handling personal data during the test. Option C is wrong because a non-disclosure agreement (NDA) protects confidentiality of the test results and client information, but it does not define how personal data must be processed, stored, or deleted under GDPR. Option D is wrong because a schedule of testing hours is an operational consideration that avoids business disruption, but it has no direct relevance to GDPR's data protection obligations.

178
MCQhard

A penetration testing firm is hired to assess a healthcare organization's network. The client has strict regulatory requirements (HIPAA) and wants to ensure that all patient data is protected during testing. Which scoping document should specify the data handling procedures and the destruction of any collected sensitive information?

A.Rules of Engagement
B.Testing Methodology
C.Data Protection Addendum
D.Scope of Work
AnswerC

A DPA specifies how sensitive data (e.g., PHI) must be handled, stored, and destroyed in compliance with regulations.

Why this answer

A Data Protection Addendum (DPA) or equivalent data handling agreement is the appropriate document to define how sensitive data will be handled, stored, and destroyed. The Rules of Engagement cover authorization and constraints, but specific data protection clauses are often in a separate addendum or included in the contract. The Methodology and Scope of Work do not typically detail data destruction procedures.

179
MCQmedium

During an internal penetration test, a tester captures a NetNTLMv2 hash via an SMB relay attack. The target network does not enforce SMB signing. What is the most effective next step to gain access to a remote server?

A.Crack the hash offline using a dictionary attack.
B.Relay the captured hash to authenticate to another server.
C.Perform a pass-the-hash attack using the captured hash.
D.Use the hash to perform an LLMNR poisoning attack.
AnswerB

Without SMB signing, the NetNTLMv2 hash can be relayed to obtain authenticated access to other systems on the network.

Why this answer

Since SMB signing is not enforced, the tester can relay the captured NetNTLMv2 hash directly to another server without needing to crack it. This works because the relay attack forwards the authentication challenge-response to a target server, allowing the tester to authenticate as the victim user without knowing the plaintext password. This is the most effective step because it provides immediate access without the time and resource cost of offline cracking.

Exam trap

The trap here is that candidates often confuse NetNTLMv2 with NTLM hashes, assuming pass-the-hash works with any hash type, when in fact pass-the-hash requires the raw NTLM hash (from LSASS or a dump) and not the challenge-response variant captured via relay.

How to eliminate wrong answers

Option A is wrong because offline cracking of NetNTLMv2 hashes is computationally expensive and time-consuming, especially for complex passwords, making it less effective than relaying when SMB signing is disabled. Option C is wrong because pass-the-hash requires an NTLM hash (not NetNTLMv2), which is a different format; NetNTLMv2 is a challenge-response hash that cannot be directly used in a pass-the-hash attack. Option D is wrong because LLMNR poisoning is a technique to capture hashes, not a method to use an already-captured hash for authentication; the hash has already been obtained, so poisoning is unnecessary.

180
MCQhard

A penetration tester wants to identify the web server software and version used by a target organization without sending any packets to the target's infrastructure. Which of the following techniques is most effective for this purpose?

A.Use Shodan to search for the target's IP address or domain and review the gathered banners.
B.Perform a DNS zone transfer to obtain internal server information.
C.Use netcat to connect to port 80 and read the HTTP banner.
D.Use nmap -sV with a delayed scan to avoid detection.
AnswerA

Shodan's database contains data from previous scans, including HTTP server headers, banners, and other service fingerprints. This is a purely passive technique that leverages publicly available data.

Why this answer

Shodan is a search engine that continuously scans the internet and stores service banners from various ports. By querying the target's IP address or domain, the penetration tester can retrieve previously collected HTTP headers and other service banners without sending any packets to the target, thus achieving passive reconnaissance.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with low-and-slow active scanning, mistakenly believing that techniques like delayed nmap scans or netcat connections are passive when they still generate detectable network traffic.

How to eliminate wrong answers

Option B is wrong because a DNS zone transfer is an active query that sends a request to the target's DNS server, and it typically reveals internal hostnames, not web server software or version banners. Option C is wrong because using netcat to connect to port 80 sends a TCP SYN packet to the target, which is an active technique that generates network traffic and can be detected. Option D is wrong because nmap -sV performs active service version detection by sending probes to open ports, even with a delayed scan, it still transmits packets to the target infrastructure.

181
MCQmedium

A penetration tester runs a vulnerability scanner against a web server and receives a high-confidence alert that the server is vulnerable to Heartbleed (CVE-2014-0160). The tester manually verifies using an OpenSSL command and finds that the server is patched. Which of the following is the most likely cause of this false positive?

A.The scanner's vulnerability signatures are outdated and still flagging the old behavior
B.The scanner's plugin for Heartbleed was misconfigured and sent malformed packets
C.The server returned a generic error message that the scanner misinterpreted as a sign of the vulnerability
D.The scanner's network connection was intermittent, causing incomplete responses that were incorrectly flagged
AnswerA

An outdated signature database can cause the scanner to misinterpret server responses or fail to recognize that a patch has been applied, resulting in a false positive.

Why this answer

Option A is correct because outdated vulnerability signatures are the most common cause of false positives in vulnerability scanning. The scanner's signature database likely still contains the original detection logic for Heartbleed (e.g., checking for a specific TLS heartbeat response length or pattern), which the patched server no longer exhibits. When the tester manually verified with an OpenSSL command (e.g., `openssl s_client -connect target:443 -tlsextdebug`), the patched server correctly handled the heartbeat request, confirming the scanner's alert was based on stale signatures.

Exam trap

The trap here is that candidates may assume a false positive always results from network issues or misconfiguration, rather than recognizing that outdated scanner signatures are the primary cause when a manual test contradicts an automated scan.

How to eliminate wrong answers

Option B is wrong because a misconfigured plugin that sends malformed packets would likely cause a different error or no response at all, not a high-confidence false positive; Heartbleed detection relies on the server echoing back more data than requested, not on malformed packets. Option C is wrong because Heartbleed detection does not rely on generic error messages; it specifically checks for an oversized heartbeat response payload (e.g., a 64KB reply to a 1-byte request). Option D is wrong because intermittent network connections would produce incomplete or dropped responses, which would typically result in a low-confidence or inconclusive scan result, not a high-confidence false positive.

182
MCQmedium

After a penetration test, the client's development team requests that the report include specific, actionable remediation steps for each vulnerability. Where in the report should this information be placed?

A.In the executive summary to emphasize the need for fixing vulnerabilities
B.In the appendix as a separate remediation checklist
C.Within the technical report section, under each vulnerability finding
D.In a separate document attached to the report to avoid cluttering the main report
AnswerC

Correct. Each vulnerability finding should include a remediation subsection that provides clear, actionable steps for the responsible team.

Why this answer

The correct placement for specific, actionable remediation steps is within the technical report section under each vulnerability finding. This aligns with industry best practices (e.g., PTES, OWASP) where each finding includes a description, risk rating, and a dedicated remediation subsection, ensuring developers have immediate context and clear steps without cross-referencing other sections.

Exam trap

The trap here is that candidates may think the executive summary or appendix is sufficient for remediation details, but the exam specifically tests that actionable steps must be embedded within each finding to ensure clear ownership and immediate applicability for the development team.

How to eliminate wrong answers

Option A is wrong because the executive summary is a high-level overview for management, not a place for detailed technical remediation steps; it should focus on business risk and strategic recommendations, not per-vulnerability fixes. Option B is wrong because placing remediation steps only in an appendix separates them from the vulnerability context, forcing developers to flip back and forth, which reduces clarity and increases the risk of misapplication. Option D is wrong because a separate document can be lost or overlooked, and the PT0-002 exam expects remediation to be integrated into the main report for traceability and completeness, not hidden in an attachment.

183
Multi-Selecthard

Which TWO of the following are indicators that a web application is vulnerable to XML External Entity (XXE) attacks? (Select TWO.)

Select 2 answers
A.Directory traversal in file upload functionality
B.Persistent cross-site scripting in user profiles
C.Exfiltration of files via HTTP requests to an attacker-controlled server
D.Application crashes when processing a malformed XML file
E.Successful UNION-based SQL injection
AnswersC, D

XXE can use external entities to send files to attacker.

Why this answer

Option C is correct because XXE attacks allow an attacker to define an external entity that references a local file (e.g., file:///etc/passwd) and then have that entity's content included in an HTTP request to an attacker-controlled server. This exfiltration via out-of-band HTTP requests is a classic indicator of a successful XXE exploitation, as the attacker can read sensitive files from the server's filesystem.

Exam trap

CompTIA often tests the distinction between direct indicators of XXE (like file exfiltration via HTTP and parser crashes) and other common web vulnerabilities, so candidates mistakenly select directory traversal or SQL injection because they associate 'file reading' or 'data extraction' with XXE without recognizing the specific XML parser behavior.

184
MCQhard

A penetration tester has exploited a web application and found that the server has an outbound firewall that restricts all outbound traffic except for DNS queries (UDP 53). The tester has a reverse shell payload that connects back on TCP 443. Which technique can the tester use to exfiltrate data or establish a channel?

A.Use netcat to send data over TCP 53
B.Use an SSH tunnel over UDP 53
C.Use dnscat2 or other DNS tunneling tool
D.Use a bind shell listening on TCP 443 internally
AnswerC

DNS tunneling encodes data in DNS queries, which are permitted by the firewall. This allows the tester to establish a channel and exfiltrate data.

Why this answer

Option C is correct because DNS tunneling tools like dnscat2 encode data within DNS queries and responses, allowing the tester to bypass outbound firewall restrictions that only permit UDP 53 traffic. Since the reverse shell payload uses TCP 443, which is blocked, DNS tunneling provides an alternative covert channel that encapsulates the communication within legitimate DNS lookups, effectively exfiltrating data or establishing a command-and-control channel over the allowed protocol.

Exam trap

The trap here is that candidates may assume any protocol can be tunneled over UDP 53 simply by changing the port, but DNS tunneling requires specialized tools that encapsulate data within DNS message formats, not just raw TCP or SSH over UDP.

How to eliminate wrong answers

Option A is wrong because netcat cannot send data over TCP 53 when the outbound firewall only allows UDP 53; TCP 53 is a different protocol and would be blocked. Option B is wrong because SSH tunnels operate over TCP, not UDP, and UDP 53 is used for DNS queries, not SSH; attempting an SSH tunnel over UDP 53 would fail as SSH does not natively support UDP transport. Option D is wrong because a bind shell listening on TCP 443 internally requires the tester to initiate an inbound connection to that port, but the outbound firewall does not restrict inbound traffic; however, the tester is behind the firewall and needs an outbound channel, and a bind shell does not solve the outbound restriction problem.

185
MCQeasy

Which of the following is the MOST appropriate format for delivering the final penetration test report to the client?

A.HTML file hosted on the tester's website.
B.Plain text file with no formatting.
C.Microsoft Word document with tracked changes.
D.PDF with password protection and digital signature.
AnswerD

PDF ensures integrity and non-repudiation.

Why this answer

Option A is correct because PDF provides a secure, non-editable format that preserves formatting. Option B is wrong because Word docs can be easily altered. Option C is wrong because text files lack structure.

Option D is wrong because HTML may not be easily printable or secure.

186
MCQeasy

A penetration tester gains access to a web application that uses a MongoDB backend. The tester discovers that the search functionality directly interpolates user input into a NoSQL query without sanitization. Which technique should the tester use to extract data from the database?

A.SQL injection
B.NoSQL injection
C.LDAP injection
D.Command injection
AnswerB

This is the correct technique because the application uses MongoDB and directly interpolates user input into queries. NoSQL injection manipulates the query logic by injecting operators like $gt or $ne.

Why this answer

Option B is correct because the application uses MongoDB, a NoSQL database, and the search functionality directly interpolates user input into a NoSQL query without sanitization. This allows the tester to inject MongoDB operators (e.g., $ne, $regex, $gt) to manipulate the query logic and extract data, which is the core of NoSQL injection. Unlike SQL injection, this technique targets MongoDB's query syntax, such as JSON-based operators, to bypass authentication or retrieve records.

Exam trap

The trap here is that candidates see 'injection' and default to SQL injection (Option A) without recognizing that the backend is MongoDB, a NoSQL database, which requires a different injection technique using JSON operators rather than SQL syntax.

How to eliminate wrong answers

Option A is wrong because SQL injection targets relational databases using SQL syntax (e.g., SELECT, UNION), but MongoDB uses a document-based query language with JSON-like operators, not SQL. Option C is wrong because LDAP injection exploits Lightweight Directory Access Protocol queries (e.g., LDAP filters) to manipulate directory services, not NoSQL databases like MongoDB. Option D is wrong because command injection targets operating system commands (e.g., shell commands) via system calls, not database queries, and the vulnerability here is in the database query layer, not the OS.

187
MCQhard

A penetration tester has gained a low-privileged command shell on a Windows 10 system. The tester suspects there is a vulnerable service with an unquoted service path that can be exploited for privilege escalation. Which command should the tester use to identify all services with this vulnerability?

A.Get-Service | Format-List Name,PathName
B.reg query HKLM\SYSTEM\CurrentControlSet\Services\ /s /v ImagePath
C.sc query type= all state= all | findstr "SERVICE_NAME"
D.net start
AnswerB

Correct. This registry query recursively lists all services and their ImagePath values. The tester can then inspect paths that contain spaces and are not enclosed in quotes.

Why this answer

Option B is correct because the `reg query` command with the `/s` switch recursively searches the registry key `HKLM\SYSTEM\CurrentControlSet\Services` for the `ImagePath` value of each service. An unquoted service path vulnerability occurs when the `ImagePath` contains spaces and is not enclosed in quotes, allowing an attacker to execute arbitrary code by placing a malicious executable in a path that Windows interprets as a command with arguments. This command directly retrieves the raw path strings from the registry, making it the most reliable method to identify unquoted paths.

Exam trap

The trap here is that candidates assume `sc query` or `Get-Service` will reveal the raw unquoted path, but these commands may normalize or omit quotation marks, whereas the registry `ImagePath` value stores the exact string used by the service, including missing quotes.

How to eliminate wrong answers

Option A is wrong because `Get-Service | Format-List Name,PathName` only displays the service name and its binary path name as reported by the Service Control Manager, but it does not show the raw registry `ImagePath` value; PowerShell may automatically quote or normalize the path, hiding the unquoted vulnerability. Option C is wrong because `sc query type= all state= all | findstr "SERVICE_NAME"` only lists service names, not their binary paths, so it cannot reveal unquoted service paths. Option D is wrong because `net start` only lists currently running services by display name, not their executable paths, and provides no information about the path format or quotation.

188
MCQhard

A penetration tester is writing a report that includes a vulnerability with a CVSS score of 9.8. The client's security team argues that the score should be lower due to compensating controls. How should the tester respond in the report?

A.Report the base CVSS score and include a note about the compensating controls
B.Report both scores and let the client decide
C.Remove the CVSS score entirely to avoid disagreement
D.Adjust the CVSS score lower to reflect the client's compensating controls
AnswerA

Provides objective score plus context.

Why this answer

Option B is correct because the CVSS base score reflects intrinsic characteristics of the vulnerability; the tester should include the base score and note the compensating controls but allow the client to adjust the risk in their own risk management process. Option A is incorrect because base score should not be changed arbitrarily. Option C is incorrect as reporting multiple scores can confuse.

Option D is incorrect because the tester's job is to report objectively, not to change scores to please the client.

189
Multi-Selectmedium

Which TWO of the following are key components that should be included in an executive summary of a penetration test report? (Select TWO.)

Select 2 answers
A.Disclaimer of liability for the testing company.
B.Detailed step-by-step exploitation procedures.
C.Overall risk score or security posture rating.
D.High-level summary of findings and risk ratings.
E.Full command-line output from penetration testing tools.
AnswersC, D

Provides a quick understanding of the organization's security health.

Why this answer

Options B and D are correct. The executive summary should provide a high-level overview of risks and business impact, and overall risk score. Option A is detailed technical steps, not for executives.

Option C is also technical. Option E is a legal disclaimer, which is important but not a key summary component.

190
MCQeasy

A penetration tester wants to quickly identify which of the top 100 common ports are open on a target system, while minimizing network traffic and scan time. Which Nmap command is most appropriate?

A.nmap -p- target
B.nmap -T5 -F target
C.nmap -sn target
D.nmap -sV target
AnswerB

-F scans top 100 ports; -T5 uses aggressive timing for speed.

Why this answer

Option B is correct because the `-T5` flag sets the fastest timing template (insane), which reduces delays and speeds up the scan, while the `-F` flag (fast mode) limits scanning to only the top 100 most common ports as defined in Nmap's nmap-services file. This combination minimizes network traffic and scan time while quickly identifying open ports among the top 100, aligning with the goal of efficiency.

Exam trap

The trap here is that candidates often confuse `-F` with `-p-` or assume `-T5` alone is sufficient, failing to recognize that `-F` is the specific flag that restricts the scan to the top 100 ports, while `-T5` only accelerates the timing without changing the port list.

How to eliminate wrong answers

Option A is wrong because `-p-` scans all 65535 TCP ports, which generates maximum traffic and takes the longest time, directly contradicting the requirement to minimize network traffic and scan time. Option C is wrong because `-sn` performs a ping sweep (host discovery) using ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests; it does not scan any ports for open/closed status, so it cannot identify open ports. Option D is wrong because `-sV` enables version detection, which probes open ports to determine service versions, but it does not limit the port range to the top 100; without `-F`, it scans the default 1000 ports, and the version probing adds significant traffic and time, making it inefficient for the stated goal.

191
MCQmedium

A penetration tester is analyzing a Python script that uses the Impacket library to perform an SMB relay attack. The script is failing to capture NTLM hashes from target machines. Which part of the script is MOST likely misconfigured?

A.The target IP address
B.The listener IP address
C.The SMB version negotiation
D.The authentication method (NTLMv1 vs NTLMv2)
AnswerB

The listener IP must be set to the attacker's IP and reachable from the target; an incorrect listener IP will prevent the relay from receiving hashes.

Why this answer

In an SMB relay attack using Impacket, the listener IP address must be set to the attacker's IP address where the relayed authentication is received. If the listener IP is misconfigured (e.g., set to the target's IP or left as localhost), the relay server will not receive the forwarded NTLM hashes, causing the capture to fail. This is a common configuration error when using Impacket's 'smbrelayx' or similar scripts.

Exam trap

The trap here is that candidates often confuse the listener IP with the target IP, assuming the script needs the target's IP to capture hashes, when in fact the listener IP must be the attacker's own IP to receive the relayed authentication.

How to eliminate wrong answers

Option A is wrong because the target IP address is typically the machine being attacked or relayed to, and while it must be correct for the relay to reach the intended service, an incorrect target IP would cause the relay to fail at a different stage (e.g., connection refused), not specifically prevent hash capture. Option C is wrong because SMB version negotiation is handled automatically by Impacket's SMB connection; misconfiguring it might cause a connection failure but would not prevent hash capture if the relay is set up correctly. Option D is wrong because the authentication method (NTLMv1 vs NTLMv2) affects the hash format captured, but both can be relayed; the script's failure to capture hashes is not due to the NTLM version but rather the relay listener not receiving the authentication attempt.

192
MCQeasy

A small business hires a penetration tester to assess the security of their network. The owner is concerned about employee data breaches and wants to ensure compliance with industry regulations. Which of the following is the MOST critical document to establish before the test begins?

A.Vulnerability scan report
B.Rules of engagement
C.Penetration test report
D.Risk assessment matrix
AnswerB

This document outlines the scope, authorization, and constraints, making it essential before any testing occurs.

Why this answer

The Rules of Engagement (RoE) is the most critical document because it defines the legal boundaries, scope, and authorization for the penetration test. Without a signed RoE, the tester has no legal protection and the test could be considered unauthorized access, violating laws like the Computer Fraud and Abuse Act (CFAA). It also specifies key constraints such as testing times, target IP ranges, and prohibited actions, ensuring compliance with industry regulations like PCI DSS or HIPAA.

Exam trap

The trap here is that candidates confuse the Rules of Engagement with the penetration test report or vulnerability scan report, thinking that technical outputs are more important than the legal and scoping document that authorizes the entire test.

How to eliminate wrong answers

Option A is wrong because a vulnerability scan report is an output of the testing process, not a pre-engagement document; it would be generated after scanning begins. Option C is wrong because a penetration test report is the final deliverable summarizing findings, not a document that establishes authorization or scope before testing. Option D is wrong because a risk assessment matrix is a tool used during planning to prioritize risks, but it does not provide the legal and operational boundaries required to start the test; it is secondary to the RoE.

193
MCQmedium

A penetration tester is writing the technical report and needs to prioritize remediation recommendations. Which factor should be given the MOST weight when prioritizing?

A.The risk posed to the organization, considering likelihood and impact.
B.The number of systems affected by the vulnerability.
C.The CVSS base score of the vulnerability.
D.The ease of implementing the remediation.
AnswerA

Risk-based prioritization aligns with business needs.

Why this answer

Option A is correct because risk (likelihood and impact) is the standard basis for prioritization in penetration testing. Option B is wrong because ease of remediation is secondary to risk. Option C is wrong because the number of systems affected is only one component of risk.

Option D is wrong because CVSS score alone does not consider the client's environment.

194
MCQmedium

A client asks why a medium-severity finding should be remediated before a high-severity finding. The medium finding is internet-facing and actively exploited; the high finding is isolated in a lab subnet. What is the best explanation?

A.Prioritization should account for exposure and active exploitation, not only the scanner severity.
B.Medium findings must always be fixed before high findings.
C.The high finding should be ignored permanently because it is in a lab.
D.Only CVSS base score matters for remediation order.
AnswerA

An internet-facing actively exploited issue may require faster action than an isolated lab finding.

Why this answer

Option A is correct because risk-based prioritization must consider real-world factors like internet exposure and active exploitation, not just the CVSS base score. A medium-severity finding that is internet-facing and actively exploited poses a higher immediate risk to the organization than a high-severity finding isolated in a lab subnet, which has no external attack surface. This aligns with industry frameworks like CVSS environmental metrics and the FIRST CVSS v3.1 specification, which allow adjusting severity based on attack vector, complexity, and environmental context.

Exam trap

The trap here is that candidates often assume CVSS base severity alone dictates remediation order, ignoring the critical role of environmental and temporal metrics, as well as business context like exposure and active exploitation.

How to eliminate wrong answers

Option B is wrong because it incorrectly states that medium findings must always be fixed before high findings, which ignores the context of exposure and active exploitation; remediation priority should be based on risk, not a fixed severity hierarchy. Option C is wrong because it suggests the high finding should be ignored permanently, but even isolated lab findings can be leveraged in lateral movement or indicate systemic weaknesses, and should be remediated based on risk, not ignored. Option D is wrong because it claims only CVSS base score matters, but CVSS provides environmental and temporal metrics that adjust severity for factors like exposure and active exploitation, which are critical for accurate prioritization.

195
MCQeasy

A penetration tester wants to quickly identify known vulnerabilities in a web application without triggering many alarms. Which tool should the tester use?

A.SQLmap
B.Metasploit
C.OpenVAS
D.Nikto
AnswerD

Nikto is a lightweight web scanner that checks for outdated servers and common vulnerabilities.

Why this answer

Nikto is a web server scanner that performs checks for known vulnerabilities with minimal noise. SQLmap is for SQL injection only, OpenVAS is a comprehensive vulnerability scanner that may be noisy, and Metasploit is for exploitation.

196
MCQeasy

A penetration testing firm is hired to assess the security of a small business's web application. The client has explicitly stated that they do not want any testing that could cause a denial of service. Which section of the rules of engagement should specify this restriction?

A.Scope
B.Limitations
C.Scheduling
D.Legal
AnswerB

Correct. Limitations document constraints and excluded activities, such as no DoS testing.

Why this answer

The restriction against denial of service testing is a limitation on the types of activities permitted during the engagement. In the rules of engagement (RoE), the Limitations section explicitly defines what is prohibited, such as specific attack vectors, tools, or impacts like DoS, to ensure testing stays within agreed boundaries. This is distinct from the Scope, which defines what is tested (e.g., IP ranges, URLs), not what is forbidden.

Exam trap

The trap here is that candidates confuse 'Scope' (what is tested) with 'Limitations' (how it is tested), leading them to incorrectly select Scope because they think the restriction defines the boundaries of the engagement, when in fact Limitations specifies the prohibited actions within those boundaries.

How to eliminate wrong answers

Option A is wrong because Scope defines the targets (e.g., specific IP addresses, subdomains, or web application URLs) and systems in scope, not the restrictions on testing methods or impacts. Option C is wrong because Scheduling covers the timing and duration of testing (e.g., start/end dates, maintenance windows), not prohibitions on specific attack types. Option D is wrong because Legal covers contractual and regulatory compliance (e.g., data handling, liability, jurisdiction), not the operational constraints like prohibiting DoS attacks.

197
MCQmedium

A penetration tester has completed the test and is writing the final report. The client's VP of Security requests a single-page summary that highlights the most critical risks and their business impact. Which section of the report should be expanded to satisfy this request while maintaining the integrity of the full report?

A.Executive Summary – should include high-level findings and risk ratings
B.Technical Findings – should include a risk matrix
C.Appendices – should include a condensed risk report
D.Methodology – should include a summary of attack paths
AnswerA

The executive summary is intended for decision-makers and should be concise, highlighting critical risks and business impact, which aligns with the VP's request.

Why this answer

The VP of Security needs a concise, business-focused overview of critical risks and their impact. The Executive Summary is the appropriate section to expand because it is designed to present high-level findings, risk ratings, and business context for non-technical stakeholders, preserving the full report's integrity by keeping detailed technical data in other sections.

Exam trap

The trap here is that candidates may think a risk matrix belongs in Technical Findings (Option B) because it involves technical scoring, but the exam tests that business-impact summaries are always placed in the Executive Summary to satisfy non-technical stakeholders.

How to eliminate wrong answers

Option B is wrong because the Technical Findings section contains detailed vulnerability descriptions, exploit steps, and evidence; expanding it with a risk matrix would clutter the technical detail and fail to provide the concise, business-oriented summary the VP needs. Option C is wrong because Appendices are supplementary reference materials (e.g., logs, tool outputs, configuration files); condensing a risk report there would bury critical information and not serve as a quick executive overview. Option D is wrong because the Methodology section describes the testing approach, tools, and attack paths used; summarizing attack paths there would not address business impact or risk prioritization, which is the VP's request.

198
MCQhard

A penetration tester is assessing a web application that uses JSON Web Tokens (JWT) for authentication. The tester captures a valid JWT from a user session. The JWT header contains a 'kid' (key ID) parameter. The tester suspects the application is vulnerable to a key injection attack via the 'kid' parameter. Which attack technique should the tester use to forge a valid JWT without knowing the secret key?

A.Set the algorithm header to 'none' (null signature attack).
B.Replace the 'kid' value with a path to a known file on the server (e.g., /dev/null) that contains predictable content.
C.Use a side-channel attack to extract the secret key.
D.Perform a timing attack to recover the secret key character by character.
AnswerA

If the server accepts tokens with algorithm 'none', it will skip signature verification, allowing the tester to forge any token.

Why this answer

Option A is correct because setting the algorithm header to 'none' removes the need for a signature entirely. The JWT library, if not properly configured to reject 'none' algorithm tokens, will accept the forged token as valid, allowing the tester to impersonate any user without knowing the secret key.

Exam trap

The trap here is that candidates confuse the 'none' algorithm attack with the 'kid' injection attack (option B), but the question specifically asks for a technique to forge a token without knowing the secret key, which the 'none' attack achieves directly.

How to eliminate wrong answers

Option B is wrong because replacing the 'kid' value with a path like /dev/null is a key injection attack that exploits the 'kid' parameter to point to a file whose contents are used as the secret key, but this does not forge a token without knowing the secret; it manipulates the key source. Option C is wrong because a side-channel attack (e.g., power analysis, electromagnetic leaks) is impractical against a remote web application and does not directly forge a JWT. Option D is wrong because a timing attack recovers the secret key by measuring response time variations, but it requires many requests and does not immediately forge a token; it is a key recovery method, not a direct forgery technique.

199
Multi-Selecteasy

A tester is planning a physical security assessment. Which TWO should be included in the scope? (Choose two.)

Select 2 answers
A.Testing the ability to tailgate through secured entrances
B.Running vulnerability scans on internal servers
C.Performing a man-in-the-middle attack on the Wi-Fi
D.Attempting to bypass biometric locks using fake fingerprints
E.Conducting a dumpster diving exercise
AnswersA, E

Standard physical test.

Why this answer

Options A and C are correct because tailgating and dumpster diving are common physical assessment tests. Option B is too specialized and may need specific approval. Options D and E are network-based, not physical.

200
MCQhard

A penetration tester is performing a vulnerability scan on a web server that uses HTTPS. The tester wants to identify the server's SSL/TLS configuration weaknesses without overwhelming the server. Which Nmap command is most appropriate?

A.nmap -sV --script ssl-enum-ciphers -p 443 target
B.nmap -sT -A -T4 -p 443 target
C.nmap -sU -p 443 target
D.nmap -sC -p 443 target
AnswerA

This command runs the ssl-enum-ciphers script to enumerate SSL/TLS ciphers and weaknesses.

Why this answer

Option A is correct because the `ssl-enum-ciphers` NSE script enumerates all supported SSL/TLS ciphers and protocols on the target, providing a detailed assessment of cryptographic weaknesses (e.g., weak ciphers, outdated TLS versions). The `-sV` flag enables version detection, and `-p 443` targets the HTTPS port, while the script itself is designed to be lightweight and not overwhelm the server, making it ideal for a non-intrusive vulnerability scan.

Exam trap

The trap here is that candidates often choose `-sC` (default scripts) thinking it covers SSL checks, but it does not run the dedicated cipher enumeration script, which is the only option that specifically and safely identifies SSL/TLS weaknesses without aggressive scanning.

How to eliminate wrong answers

Option B is wrong because `-A` enables aggressive scanning (OS detection, version detection, script scanning, traceroute) and `-T4` sets a faster timing template, which can overwhelm the server and is not focused solely on SSL/TLS configuration weaknesses. Option C is wrong because `-sU` performs a UDP scan, but HTTPS (port 443) uses TCP, so this command would not properly assess the SSL/TLS configuration. Option D is wrong because `-sC` runs default NSE scripts, which may include some SSL-related checks but does not specifically enumerate ciphers and protocols in a targeted, non-overwhelming manner like `ssl-enum-ciphers` does.

201
MCQmedium

A penetration tester is analyzing a Python script that uses the 'paramiko' library to automate SSH key-based authentication across multiple servers. The script fails with 'AuthenticationException' for some servers that the tester is certain have the correct private key configured. Which of the following is the most likely cause of this failure?

A.The servers are running a different SSH version.
B.The public key is not in the server's authorized_keys file.
C.The SSH server host key is not in the known_hosts file.
D.The username specified is incorrect.
AnswerC

Correct. Paramiko verifies host keys by default; if the host key is not known, it raises AuthenticationException to prevent man-in-the-middle attacks.

Why this answer

The 'paramiko' library in Python handles SSH key-based authentication by first verifying the server's host key against the known_hosts file. If the host key is missing or mismatched, paramiko raises an AuthenticationException before even attempting client key authentication, even if the private key is correct. This is because paramiko enforces host key verification by default to prevent man-in-the-middle attacks, and a failure at this stage blocks the authentication process entirely.

Exam trap

The trap here is that candidates often assume AuthenticationException always means a client credential problem (private key or username), but Cisco tests the nuance that paramiko's host key verification failure can raise this exception before client authentication even begins.

How to eliminate wrong answers

Option A is wrong because SSH version differences (e.g., SSH-1 vs SSH-2) would typically cause a connection failure or protocol error, not an AuthenticationException, and paramiko supports SSH-2 which is the modern standard. Option B is wrong because if the public key were missing from authorized_keys, the server would reject the key-based authentication attempt, but paramiko would still attempt it and raise an AuthenticationException only after the key exchange fails—however, the question states the tester is certain the private key is correct, so the failure occurs before client key authentication due to host key verification. Option D is wrong because an incorrect username would cause the server to reject the authentication attempt at a later stage, but paramiko would still proceed with host key verification first; the AuthenticationException in this context is specifically tied to host key verification failure, not username issues.

202
MCQmedium

An organization has a web application that stores session tokens in a cookie named 'auth_token'. The token is a base64-encoded JSON object containing the username, role, and expiration timestamp. Which attack is most likely to succeed if the encryption is not used?

A.Session replay
B.Cross-site request forgery
C.Cookie tampering
D.Session hijacking
AnswerC

The tester can decode the cookie, change values, and re-encode to escalate privileges.

Why this answer

Option C is correct because the session token is a base64-encoded JSON object without encryption, making it trivially easy to decode, modify (e.g., change the role to 'admin' or extend the expiration timestamp), re-encode, and send back to the server. This is a classic cookie tampering attack, as the server trusts the client-provided data without integrity verification.

Exam trap

CompTIA often tests the distinction between encoding and encryption, and the trap here is that candidates confuse base64 encoding with actual security, assuming it protects the token's integrity or confidentiality.

How to eliminate wrong answers

Option A is wrong because session replay involves capturing and reusing a valid token unchanged, but the question focuses on the lack of encryption enabling modification, not reuse. Option B is wrong because cross-site request forgery (CSRF) exploits the user's authenticated session to perform unintended actions, not the ability to tamper with the cookie content itself. Option D is wrong because session hijacking typically involves stealing a valid session token (e.g., via XSS or network sniffing) and using it as-is, whereas the core vulnerability here is the ability to forge or alter the token's contents due to lack of encryption.

203
Multi-Selecthard

A tester has low-privilege shell access on a Linux server. Which two checks are most appropriate for local privilege escalation enumeration? (Choose 2.)

Select 2 answers
A.Review sudo privileges with sudo -l.
B.Find SUID binaries and inspect unusual or writable executables.
C.Run a full SYN scan of the public IP range.
D.Send phishing emails to the finance department.
AnswersA, B

Misconfigured sudo rules are a common privilege escalation path.

Why this answer

Option A is correct because `sudo -l` lists the commands the current user can execute with elevated privileges, which is a standard first step in privilege escalation enumeration. If the user has sudo rights to any command without a password or with a known password, they can potentially run that command as root, leading to full system compromise.

Exam trap

The trap here is that candidates confuse network scanning or social engineering with local enumeration techniques, forgetting that the question explicitly states the tester already has low-privilege shell access on the target server.

204
Drag & Dropmedium

Drag and drop the steps to exploit a SQL injection vulnerability using sqlmap into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SQL injection exploitation requires first confirming vulnerability, then using sqlmap to enumerate and extract data.

205
MCQeasy

After completing a penetration test, a tester needs to dispose of test data securely. Which of the following methods is most appropriate for this purpose?

A.Delete the data using standard operating system commands
B.Use a secure data destruction tool that overwrites data multiple times
C.Format the storage device once
D.Keep the data encrypted for future reference
AnswerB

Ensures data is irrecoverable.

Why this answer

Option C is correct because secure data destruction, such as using degaussing or secure erase tools, ensures data cannot be recovered. Option A (deleting files) leaves recoverable traces. Option B (formatting) may not wipe all sectors.

Option D (storing indefinitely) violates data handling policies.

206
MCQmedium

A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester discovers a binary with the SUID bit set that belongs to root and is known to have a buffer overflow vulnerability. What is the MOST effective next step to escalate privileges?

A.Use the binary to execute a command that changes the root password
B.Develop and execute a buffer overflow exploit against the binary to gain a root shell
C.Modify the binary's permissions to allow execution by any user
D.Use sudo to run the binary as root
AnswerB

This is the correct approach. Exploiting the SUID binary allows privilege escalation to root.

Why this answer

The SUID binary owned by root and vulnerable to a buffer overflow allows a low-privileged user to execute it with root privileges. Developing and executing a buffer overflow exploit against the binary will overwrite the return address or function pointer to spawn a root shell, directly escalating privileges to root. This is the most effective method because it leverages the existing vulnerability to gain full control without relying on other misconfigurations.

Exam trap

The trap here is that candidates may confuse SUID with sudo, assuming sudo can be used to run the binary as root, but SUID binaries execute with the owner's privileges automatically without requiring sudoers configuration.

How to eliminate wrong answers

Option A is wrong because changing the root password requires root privileges or the ability to write to /etc/shadow, which the low-privileged shell does not have; the SUID binary does not inherently provide a mechanism to execute arbitrary commands like passwd. Option C is wrong because modifying the binary's permissions (e.g., chmod) is not possible from a low-privileged shell, as the binary is owned by root and the SUID bit is already set; the goal is to exploit the binary, not change its permissions. Option D is wrong because sudo requires the user to be in the sudoers file with appropriate permissions, which a low-privileged user typically does not have; the SUID binary is executed directly, not via sudo.

207
MCQhard

The scope allows only Nmap, but it is ineffective against heavy packet filtering. The tester wants to use an alternate tool. What should the tester do?

A.Request approval from the client to use a different tool
B.Use the alternate tool and note it in the report
C.Abort the scan and report that the network is not testable
D.Use Nmap with different parameters
AnswerA

Proper scope management.

Why this answer

Option B is correct because the tester should request approval before using an alternate tool. Option A is wrong because using an unapproved tool violates scope. Option C is wrong because the question states alternate tool is needed.

Option D is wrong because aborting is premature.

208
MCQeasy

A penetration tester is conducting passive reconnaissance on a target organization. Which technique can be used to discover subdomains of the target's domain without sending any packets to the target's network?

A.Performing a DNS brute-force attack against the target's domain
B.Using the 'site:' operator in a search engine query
C.Sending ICMP echo requests to potential subdomain IP addresses
D.Querying WHOIS databases for domain registration information
AnswerB

Search engines index subdomains; querying 'site:example.com' reveals them passively.

Why this answer

Option B is correct because using the 'site:' operator in a search engine query (e.g., 'site:example.com') retrieves indexed subdomains from the search engine's cache without sending any packets to the target's network. This is a purely passive technique that leverages publicly available data, aligning with the definition of passive reconnaissance.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with techniques that appear passive but still send packets (like DNS brute-force or ICMP echo requests), or they incorrectly assume WHOIS queries can enumerate subdomains when WHOIS only provides registration metadata.

How to eliminate wrong answers

Option A is wrong because a DNS brute-force attack sends DNS queries to the target's authoritative name servers, which are packets that reach the target's network infrastructure, making it an active technique. Option C is wrong because sending ICMP echo requests (ping) to potential subdomain IP addresses directly transmits packets to the target's network, which is active reconnaissance and violates the 'no packets' constraint. Option D is wrong because querying WHOIS databases retrieves registration information (e.g., registrar, contacts) but does not discover subdomains; WHOIS records typically contain domain ownership details, not subdomain listings.

209
MCQeasy

A tester is reviewing code and sees a function that concatenates user input directly into a SQL query. Which vulnerability is most likely present?

A.Buffer overflow
B.SQL injection
C.Command injection
D.Cross-site scripting (XSS)
AnswerB

Concatenation of input into SQL statements enables SQL injection.

Why this answer

Option A is correct because concatenating input into SQL queries allows SQL injection. Option B is wrong because XSS involves injecting scripts into web pages. Option C is wrong because buffer overflow involves memory corruption.

Option D is wrong because command injection targets system commands.

210
MCQeasy

A penetration tester wants to perform a slow and stealthy port scan to avoid intrusion detection systems. Which Nmap option should be used?

A.-O
B.-A
C.-T0
D.-sV
AnswerC

Timing template 0 (Paranoid) is the slowest and most stealthy.

Why this answer

The -T0 option sets the timing template to Paranoid, which is extremely slow and avoids IDS detection. -O is for OS detection, -sV for version detection, and -A for aggressive scan.

211
MCQmedium

A client requests a penetration test that includes both their internal network and a third-party cloud service provider's infrastructure. The cloud provider has not given permission for testing. Which action should the penetration tester take regarding the cloud provider's assets?

A.Test the cloud assets as part of the engagement because they support the client's business
B.Exclude the cloud provider's assets from the scope and update the rules of engagement
C.Test only the client-facing parts of the cloud service
D.Request the client to sign an additional liability waiver for testing third-party assets
AnswerB

Assets owned by third parties without their consent must be excluded to remain within legal and ethical boundaries.

Why this answer

The correct action is to exclude the cloud provider's assets from the scope and update the rules of engagement (ROE). Penetration testing without explicit authorization from the asset owner violates legal and ethical boundaries, potentially constituting unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA). The ROE must clearly define the scope to avoid testing third-party infrastructure that the client does not own or have permission to test.

Exam trap

The trap here is that candidates may assume a liability waiver or partial testing is sufficient, but the CompTIA PT0-002 exam emphasizes that explicit permission from the asset owner is non-negotiable, regardless of business relationships or waivers.

How to eliminate wrong answers

Option A is wrong because testing assets without the cloud provider's permission constitutes unauthorized access, which is illegal and violates standard penetration testing ethics and legal frameworks. Option C is wrong because there is no technical mechanism to isolate 'client-facing parts' of a cloud service without affecting the provider's backend infrastructure; any interaction with the service involves the provider's systems, and partial testing still requires the provider's consent. Option D is wrong because a liability waiver does not grant legal authorization to test third-party assets; permission must come directly from the asset owner, not from the client signing a waiver.

212
MCQhard

A tester uses OllyDbg to step through a binary. The EAX register contains 0x00401234. What does this represent?

A.A system call number
B.A file handle
C.A memory address
D.An ASCII character
AnswerC

The value 0x00401234 is within the typical user-mode address space.

Why this answer

Option A is correct because EAX holds a memory address (0x00401234 is a typical address in a process). Option B is wrong because an ASCII character would be a small value. Option C is wrong because file handles are usually small integers or pointers.

Option D is wrong because system call numbers are typically small integers.

213
MCQmedium

Refer to the exhibit. A penetration tester performed an Nmap scan of a target server and received the above output. The tester recalls that one of these services is associated with a well-known remote code execution vulnerability that can be exploited without authentication. Which service is most likely vulnerable?

A.HTTP (port 80)
B.SSH (port 22)
C.Microsoft-DS (port 445)
D.ms-wbt-server (port 3389)
AnswerC

SMB has a history of critical remote code execution flaws like EternalBlue that do not require authentication.

Why this answer

Port 445/tcp is Microsoft-DS (SMB). The SMB protocol has known remote code execution vulnerabilities such as EternalBlue (MS17-010) that can be exploited without authentication. SSH (option A) and HTTP (option B) typically require credentials or application-level vulnerabilities.

RDP (option D) has had vulnerabilities, but the most notorious unauthenticated RCE on SMB is EternalBlue.

214
Multi-Selecthard

A tester is conducting a code review of a web application. Which three coding practices can help prevent cross-site scripting (XSS)?

Select 3 answers
A.Parameterized queries
B.Content Security Policy (CSP) headers
C.Disabling JavaScript in the client
D.Output encoding
E.Input validation
AnswersB, D, E

CSP headers restrict script sources and mitigate XSS.

Why this answer

Options A, B, and D are correct. Input validation filters malicious input. Output encoding prevents script execution in the browser.

Content Security Policy (CSP) restricts the execution of inline scripts. Option C is wrong because parameterized queries prevent SQL injection, not XSS. Option E is wrong because disabling JavaScript in the client is not a coding practice.

215
Multi-Selectmedium

Before starting a penetration test, the tester receives permission to test only two public IP ranges and is told not to perform denial-of-service testing. Which two documents or artefacts are most important to confirm before testing begins? (Choose 2.)

Select 2 answers
A.Written authorization to test the specified targets.
B.Rules of engagement describing prohibited techniques such as DoS.
C.A list of exploit payloads from a public GitHub repository.
D.A screenshot of the company home page.
AnswersA, B

Testing must be explicitly authorized.

Why this answer

Written authorization (A) is the foundational legal document that explicitly grants the tester permission to test the specified public IP ranges, protecting against claims of unauthorized access under laws like the Computer Fraud and Abuse Act. The rules of engagement (B) define the scope boundaries, including the prohibition of denial-of-service testing, which is critical to avoid service disruption and legal liability. Without these two documents, the tester lacks both legal authority and operational constraints, making them the most important artefacts before testing begins.

Exam trap

The trap here is that candidates may mistakenly prioritize technical artefacts like exploit lists or screenshots over the legal and scoping documents that are mandatory before any testing begins, confusing operational tools with authorization requirements.

216
MCQeasy

A penetration tester wants to identify the operating system of a remote host without sending any traffic to the target network. Which of the following techniques is most effective for this purpose?

A.Perform an nmap OS fingerprint scan on the host.
B.Use Shodan to search for the host's IP address and examine the service banners.
C.Send a ping sweep to the host's network segment.
D.Use ARP scanning to discover the host's MAC address and look up the vendor.
AnswerB

Shodan provides information gathered from previous scans, allowing for passive OS identification.

Why this answer

Option B is correct because Shodan is a search engine that indexes service banners and metadata from internet-connected devices. By querying Shodan for the target's IP address, the tester can retrieve previously collected OS information without sending any packets to the target, satisfying the 'no traffic' constraint.

Exam trap

The trap here is that candidates assume passive OS identification requires active scanning tools like nmap, overlooking that Shodan provides a passive, historical data source that avoids generating any traffic to the target.

How to eliminate wrong answers

Option A is wrong because nmap OS fingerprint scan actively sends TCP/IP probes (e.g., SYN, FIN, NULL packets) to the target host, generating network traffic. Option C is wrong because a ping sweep sends ICMP Echo Request packets to multiple hosts, which directly generates traffic on the target network. Option D is wrong because ARP scanning sends ARP request broadcasts to the local network segment, which creates traffic and only works for hosts on the same Layer 2 domain, not a remote host.

217
MCQeasy

A penetration tester is scoping an engagement for a client that hosts a public-facing web application and an internal database server. The client wants to ensure that testing does not cause any disruption to the database server. Which of the following should the tester include in the rules of engagement to address this concern?

A.Specify that only passive reconnaissance techniques will be used on the database server.
B.Include a clause that the tester will not attempt to exploit any vulnerabilities on the database server.
C.Define the database server as an out-of-scope target.
D.Require that all testing activities be performed during off-peak hours only.
AnswerC

By explicitly listing the database server as out-of-scope, no testing of any kind will be performed against it, eliminating any risk of disruption.

Why this answer

Option C is correct because defining the database server as out-of-scope explicitly removes it from all testing activities, ensuring zero disruption as requested. This is the only option that fully prevents any interaction with the database server, including passive reconnaissance or exploitation attempts, which could still cause unintended load or queries.

Exam trap

The trap here is that candidates may think passive reconnaissance or off-peak testing is sufficient to avoid disruption, but the CompTIA PT0-002 exam emphasizes that only explicit out-of-scope designation guarantees no interaction with a target system.

How to eliminate wrong answers

Option A is wrong because passive reconnaissance on the database server (e.g., banner grabbing, DNS enumeration) could still generate traffic or queries that disrupt the server, violating the client's requirement. Option B is wrong because including a clause not to exploit vulnerabilities still allows other testing activities (e.g., scanning, enumeration) that could cause disruption, and the tester might inadvertently trigger a vulnerability during reconnaissance. Option D is wrong because performing tests during off-peak hours does not prevent disruption; it only reduces the impact on users, but the database server could still be affected by scanning or exploitation attempts.

218
MCQhard

A penetration tester gains a low-privileged shell on a Linux server and discovers that the user is a member of the 'docker' group. The tester wants to escalate privileges to root. Which technique is most effective?

A.Use cron job misconfigurations to execute a reverse shell
B.Exploit kernel vulnerabilities using a local exploit suggester
C.Run a Docker container with the host filesystem mounted and access it as root
D.Abuse SETUID binaries to execute commands as root
AnswerC

By running a Docker container with the host filesystem mounted (e.g., `docker run -v /:/mnt -it alpine chroot /mnt`), the user can access all host files as root because Docker effectively runs as root. This bypasses normal privilege restrictions.

Why this answer

Option C is correct because members of the 'docker' group can run Docker containers with the `-v /:/mnt` flag to mount the host filesystem into the container. Inside the container, the user effectively has root privileges (since the container runs as root by default) and can access the host's `/mnt` directory, allowing them to modify files like `/mnt/etc/shadow` or add an SSH key to `/mnt/root/.ssh/authorized_keys` to gain root access on the host.

Exam trap

CompTIA often tests the misconception that kernel exploits are always the fastest path to root, but the trap here is that membership in the 'docker' group is a trivial and reliable escalation vector that bypasses the need for kernel exploitation or other complex techniques.

How to eliminate wrong answers

Option A is wrong because cron job misconfigurations require write access to a cron directory or a user's crontab, which the low-privileged user does not have; the 'docker' group membership does not grant cron-related privileges. Option B is wrong because exploiting kernel vulnerabilities is a valid privilege escalation technique, but it is not the most effective here since the 'docker' group provides a direct, reliable, and less risky path to root without needing to match a specific kernel version or risk system instability. Option D is wrong because abusing SETUID binaries requires finding a binary with the SUID bit set that can be exploited (e.g., via a known vulnerability or misconfiguration), but the 'docker' group membership offers a more straightforward and guaranteed escalation path.

219
MCQmedium

A penetration tester has completed testing and identified several vulnerabilities: a critical SQL injection (CVSS 9.8), a medium stored XSS (CVSS 6.1), and a low self-signed certificate (CVSS 3.7). The client's security manager asks for a simplified way to prioritize remediation. Which of the following is the most effective approach for the tester to present the findings?

A.List all vulnerabilities in descending order of CVSS score only.
B.Provide a risk matrix that maps likelihood and impact for each finding.
C.Present only the critical SQL injection finding because it overshadows the others.
D.Calculate a single overall risk score for the entire engagement by averaging all CVSS scores.
AnswerB

A risk matrix allows the tester to rate each finding based on the likelihood of exploitation and the potential business impact. This gives the client a clear, actionable prioritization that accounts for their specific environment and risk tolerance.

Why this answer

Option B is correct because a risk matrix that maps likelihood and impact for each finding provides a more nuanced prioritization than raw CVSS scores alone. CVSS scores reflect intrinsic severity but do not account for the client's specific threat environment, asset criticality, or compensating controls. By presenting a risk matrix, the tester enables the security manager to make informed decisions based on the actual risk to the organization, which is the core goal of the reporting and communication domain in PT0-002.

Exam trap

The trap here is that candidates often assume CVSS scores are the definitive prioritization metric, but PT0-002 emphasizes that risk-based communication (using likelihood and impact) is the most effective approach for client remediation discussions.

How to eliminate wrong answers

Option A is wrong because listing vulnerabilities in descending order of CVSS score only ignores the context of likelihood and business impact, which can lead to misprioritization (e.g., a critical SQL injection on a non-critical server may be less urgent than a medium XSS on a public-facing application with sensitive user data). Option C is wrong because presenting only the critical SQL injection finding disregards the other vulnerabilities, which could be exploited in combination (e.g., chaining XSS with SQL injection) or pose significant risk in the client's specific environment. Option D is wrong because calculating a single overall risk score by averaging CVSS scores is statistically invalid and obscures the distinct severity levels of individual findings; a low-severity issue can dilute the critical finding, giving a false sense of security.

220
MCQeasy

After completing a penetration test, the client requests a one-page document that highlights the most critical vulnerabilities, overall risk level, and recommended next steps for management. Which deliverable should the penetration tester provide?

A.Executive summary
B.Technical report
C.Raw scan data
D.Remediation guide
AnswerA

The executive summary condenses the test results into a format suitable for management, focusing on business impact and top priorities.

Why this answer

The executive summary is the correct deliverable because it is specifically designed to provide a high-level overview of the most critical vulnerabilities, overall risk level, and recommended next steps for management. Unlike a technical report, it avoids deep technical jargon and focuses on business impact, aligning with the client's request for a concise one-page document.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical report, thinking management needs detailed evidence, when in fact the exam emphasizes that management requires a concise, risk-focused overview without technical depth.

How to eliminate wrong answers

Option B is wrong because a technical report is a detailed document that includes full attack chains, command outputs, and evidence, which is too lengthy and technical for a one-page management summary. Option C is wrong because raw scan data is unprocessed output from tools like Nmap or Nessus, lacking analysis, risk ratings, or actionable recommendations, and is not suitable for management. Option D is wrong because a remediation guide is a step-by-step technical document for fixing vulnerabilities, not a high-level summary of critical findings and risk levels for executive decision-making.

221
MCQhard

During an internal penetration test, a tester discovers a Windows server running a custom service that is vulnerable to a stack-based buffer overflow. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be MOST effective to achieve code execution?

A.Injecting shellcode directly onto the stack and overwriting the return address to jump to it
B.Using a return-to-libc attack to call system() with a command string
C.Constructing a ROP chain using gadgets from loaded DLLs to simulate shellcode execution
D.Enabling the execute bit on the stack via a memory corruption primitive
AnswerC

ROP allows arbitrary code execution by reusing existing code segments, effectively bypassing DEP when ASLR is disabled.

Why this answer

With DEP enabled, the stack is marked non-executable, so injecting shellcode directly (option A) would fail. ASLR being disabled means the addresses of loaded DLLs are predictable, making it feasible to construct a ROP chain using gadgets from those DLLs to simulate shellcode execution. Option C is correct because ROP chains bypass DEP by reusing existing executable code (gadgets) without needing to execute code on the stack.

Exam trap

The trap here is that candidates assume DEP can be bypassed simply by enabling execution on the stack (option D) without realizing that doing so requires a ROP chain or similar technique to call VirtualProtect, making option C the more direct and effective approach.

How to eliminate wrong answers

Option A is wrong because DEP prevents execution of code on the stack, so overwriting the return address to jump to injected shellcode will cause an access violation. Option B is wrong because a return-to-libc attack typically calls a single function like system() from libc, but on Windows the equivalent (e.g., calling system() from msvcrt) is limited; more importantly, return-to-libc cannot easily chain multiple function calls to achieve arbitrary shellcode behavior, whereas a ROP chain can. Option D is wrong because enabling the execute bit on the stack would require a separate memory corruption primitive to modify page permissions (e.g., via VirtualProtect), which itself would need to be called through ROP or similar; it is not a direct exploitation technique and is less effective than constructing a full ROP chain.

222
MCQmedium

A penetration tester has successfully exploited a web application and gained a reverse shell as the www-data user on a Linux server. The tester wants to escalate privileges to root. The server is running a vulnerable version of polkit's pkexec (CVE-2021-4034). Which action should the tester take to exploit this vulnerability?

A.Execute the 'sudo -u root' command
B.Run the 'pkexec' binary with crafted environment variables
C.Modify the PATH environment variable to include a malicious executable
D.Use a generic kernel exploit for privilege escalation
AnswerB

The PwnKit vulnerability is triggered by running pkexec with specific environment variables (e.g., a modified PATH) that cause a buffer overflow, allowing privilege escalation.

Why this answer

Option B is correct because CVE-2021-4034 (PwnKit) is a memory corruption vulnerability in polkit's pkexec that allows an unprivileged user to escalate privileges to root by running the pkexec binary with crafted environment variables. Specifically, by setting the PATH and other environment variables to trigger an out-of-bounds write, the attacker can execute arbitrary code as root without authentication.

Exam trap

The trap here is that candidates may confuse this with a PATH hijacking attack (option C) or assume sudo is the default escalation method, but CVE-2021-4034 specifically requires crafted environment variables like GCONV_PATH, not just PATH modification.

How to eliminate wrong answers

Option A is wrong because 'sudo -u root' requires the www-data user to have sudo privileges configured in /etc/sudoers, which is not the case here; it would fail with a permission error. Option C is wrong because modifying the PATH environment variable alone does not exploit CVE-2021-4034; the vulnerability requires specific crafted environment variables (like GCONV_PATH) to trigger the out-of-bounds write in pkexec, not just PATH manipulation. Option D is wrong because using a generic kernel exploit is unnecessary when a specific, reliable exploit for the known vulnerable pkexec binary exists; generic kernel exploits may also fail due to kernel version mismatches or security mitigations.

223
MCQmedium

A penetration tester has gained low-privilege access on a Windows 10 machine. The tester discovers that a service runs with SYSTEM privileges and has the following binary path: C:\Program Files\MyApp\service.exe. The path is unquoted. Which exploitation technique is most likely to allow the tester to escalate privileges?

A.Create a malicious executable named 'C:\Program.exe' and place it in the root of C:.
B.Create a malicious executable named 'MyApp.exe' and place it in C:\Program Files\.
C.Modify the service's binary path in the registry to point to a malicious executable.
D.Use SeImpersonatePrivilege to impersonate the SYSTEM account and directly modify the service.
AnswerB

Correct. Because the service path is unquoted, Windows will first try to execute 'C:\Program.exe', but that does not exist. It then tries 'C:\Program Files\MyApp.exe'. If the tester can write to 'C:\Program Files\', they can place a malicious 'MyApp.exe' there. When the service starts, it will run the malicious executable with SYSTEM privileges.

Why this answer

The unquoted service binary path 'C:\Program Files\MyApp\service.exe' allows Windows to interpret spaces as separators, so it will attempt to execute 'C:\Program.exe' first, then 'C:\Program Files\MyApp.exe', and finally the intended path. By placing a malicious 'MyApp.exe' in 'C:\Program Files\', the tester exploits the space in 'Program Files' to hijack execution before the legitimate service.exe runs, achieving privilege escalation to SYSTEM.

Exam trap

The trap here is that candidates may assume the exploit requires placing an executable at the root (C:\Program.exe) or modifying the registry, but the correct technique exploits the space in 'Program Files' by placing the malicious binary in that directory, not at the root.

How to eliminate wrong answers

Option A is wrong because placing 'C:\Program.exe' would execute before the service path is fully resolved, but the intended service binary is deeper; the unquoted path first tries 'C:\Program.exe', but the correct exploitation point is the space in 'Program Files', not the root. Option C is wrong because modifying the service's binary path in the registry requires administrative privileges to edit the service configuration, which the tester does not have with low-privilege access. Option D is wrong because SeImpersonatePrivilege allows token impersonation but does not grant direct modification of a service's binary path; it is used for techniques like token theft or potato attacks, not for unquoted service path exploitation.

224
Multi-Selecthard

Which THREE of the following are common techniques used to evade antivirus (AV) detection of post-exploitation tools? (Choose three.)

Select 3 answers
A.Obfuscate the payload code
B.Pack the executable with a crypter
C.Use encrypted communication channels
D.Enable SMB file sharing
E.Apply the latest Windows patches
AnswersA, B, C

Obfuscation changes the code pattern to avoid signature detection.

Why this answer

Obfuscating the payload code transforms the malicious code into a different representation (e.g., XOR encoding, Base64, or custom encryption) that does not match known AV signatures. AV engines rely on static signature matching, so by altering the byte sequence without changing the payload's functionality, the tool evades signature-based detection. This is a fundamental technique used in frameworks like Metasploit with its 'shikata_ga_nai' encoder.

Exam trap

The trap here is that candidates confuse system hardening or network configuration changes (like SMB sharing or patching) with active evasion techniques, when in fact only code transformation and communication encryption directly hide the malicious tool from AV.

225
Multi-Selecteasy

Which THREE of the following are example of privilege escalation techniques on Linux systems? (Select THREE.)

Select 3 answers
A.Exploiting kernel vulnerabilities
B.Exploiting SUID binary vulnerabilities
C.Token manipulation
D.Sudo misconfiguration exploitation
E.Pass-the-hash
AnswersA, B, D

Kernel exploits can grant root-level access.

Why this answer

Exploiting kernel vulnerabilities (Option A) is a privilege escalation technique because the Linux kernel operates with the highest system privileges (ring 0). A vulnerability in the kernel, such as a use-after-free or race condition in a syscall handler, can allow an attacker to execute arbitrary code with kernel-level privileges, effectively gaining root access. Common examples include the Dirty Cow (CVE-2016-5195) vulnerability, which exploited a race condition in the memory subsystem to achieve local privilege escalation.

Exam trap

CompTIA often tests the distinction between Windows-specific and Linux-specific privilege escalation techniques, so the trap here is that candidates may mistakenly apply Windows concepts like token manipulation or pass-the-hash to Linux environments, where they are not valid.

Page 2

Page 3 of 7

Page 4

All pages