Back to CompTIA PenTest+ PT0-002 questions

Scenario-based practice

Hard Difficulty Questions

Practise CompTIA PenTest+ PT0-002 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
PT0-002
exam code
CompTIA
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related PT0-002 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

A penetration tester is analyzing a Python script that performs a buffer overflow attack. The script imports the struct module and the socket module. It constructs a payload by packing a pattern of characters, then overwriting a return address with a specific offset. Which of the following is the most critical piece of information the tester must determine before running this script against the target?

Question 2hardmultiple choice
Read the full DNS explanation →

A penetration tester has gained a foothold on a Linux server through a vulnerable web application. The server has an outbound firewall that blocks all traffic except DNS queries (UDP 53). The tester needs to establish a reverse shell to maintain access. Which technique is most likely to succeed?

Question 3hardmultiple choice
Full question →

A client is subject to PCI DSS compliance and requests a penetration test. The client's network has a mix of in-scope systems (cardholder data environment) and out-of-scope systems. During scoping, the tester recommends a specific approach to ensure accurate segmentation testing. Which of the following is the most important consideration for the rules of engagement?

Question 4hardmultiple choice
Read the full NAT/PAT explanation →

A penetration tester discovers that a web application uses a vulnerable Java deserialization endpoint. The classpath includes the Apache Commons Collections library. Which attack technique is most likely to achieve remote code execution?

Question 5hardmultiple choice
Full question →

A penetration tester discovers a web application that uses client-side JavaScript to validate user input before form submission. The input is then sent to the server and used directly in a SQL query without server-side validation. Which attack would most effectively exploit this vulnerability?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A penetration tester has discovered a local file inclusion (LFI) vulnerability in a PHP web application. The vulnerable code uses the following pattern: include($_GET['page']);. The application runs on a Linux server with Apache and PHP. The tester wants to achieve remote code execution (RCE). Which technique is most likely to succeed given this LFI?

Question 7hardmultiple choice
Full question →

During a penetration test, a tester gains access to a Linux server as a low-privileged user. The server has a cron job that executes a script owned by root but writable by the tester's group. Which privilege escalation technique should the tester use?

Question 8hardmultiple choice
Full question →

A penetration tester is performing a vulnerability scan on a web server that uses HTTPS. The tester wants to identify the server's SSL/TLS configuration weaknesses without overwhelming the server. Which Nmap command is most appropriate?

Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A penetration testing firm is hired to assess a healthcare organization's network. The client has strict regulatory requirements (HIPAA) and wants to ensure that all patient data is protected during testing. Which scoping document should specify the data handling procedures and the destruction of any collected sensitive information?

Question 10hardmultiple choice
Full question →

During an internal penetration test, a tester gains access to a domain-joined Windows 10 workstation as a local administrator. The tester wants to escalate privileges to Domain Admin. Which attack involves requesting Kerberos service tickets that can be cracked offline to reveal the plaintext password of a service account?

Question 11hardmultiple choice
Full question →

During an internal penetration test, a tester captures an NTLMv2 hash of a domain admin account using a Responder attack. The organization's password policy requires at least 12 characters with uppercase, lowercase, numbers, and special characters. Which password cracking technique is most likely to succeed first?

Question 12hardmultiple choice
Full question →

A penetration tester has successfully exploited a buffer overflow vulnerability in a Linux binary. However, the binary has Data Execution Prevention (DEP) enabled and Address Space Layout Randomization (ASLR) disabled. Which exploitation technique is MOST appropriate to achieve code execution in this environment?

Question 13hardmultiple choice
Full question →

A penetration tester is analyzing a PowerShell script used during an internal test. The script contains the following code block: ```powershell $cred = Get-Credential $session = New-PSSession -ComputerName 'Server01' -Credential $cred Invoke-Command -Session $session -ScriptBlock { Get-ChildItem C:\Secrets.txt } Remove-PSSession $session ``` What is the primary purpose of this script?

Question 14hardmultiple choice
Full question →

A penetration tester is using a vulnerability scanner to assess an internal network. The scanner reports a critical vulnerability in a custom web application, but manual verification shows the application is not vulnerable. Which of the following is the MOST likely cause of this false positive?

Question 15hardmultiple choice
Full question →

A penetration tester is writing a return-oriented programming (ROP) exploit for a Linux binary to bypass Data Execution Prevention (DEP). The binary has DEP enabled, but the tester identifies a gadget in a dynamically linked library that is not affected by ASLR. Which condition must be true for the ROP chain to succeed?

Question 16hardmultiple choice
Full question →

A penetration testing firm is engaged to assess a cloud infrastructure hosted in multiple AWS regions. The client specifies that only systems in US-based regions should be tested due to data sovereignty concerns. Which of the following is the MOST critical documentation to include in the rules of engagement (ROE) to ensure compliance?

Question 17hardmulti select
Full question →

A tester has low-privilege shell access on a Linux server. Which two checks are most appropriate for local privilege escalation enumeration? (Choose 2.)

Question 18hardmultiple choice
Study the full IPv6 explanation →

A penetration tester is performing internal reconnaissance on a network that uses IPv6. The tester wants to discover alive hosts and their IPv6 addresses without sending many packets. Which technique is most effective for this purpose?

Question 19hardmultiple choice
Full question →

After completing a penetration test, the client's technical team requests the detailed raw data (e.g., scan results, exploit logs, packet captures) used to support the findings. According to best practices, which of the following should the penetration tester do?

Question 20hardmultiple choice
Full question →

A penetration tester has obtained a TGT from a domain controller by cracking the krbtgt hash. Which attack can the tester now perform to gain persistent administrative access to any resource in the domain?

These PT0-002 practice questions are part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style PT0-002 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.