Back to CompTIA PenTest+ PT0-002 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise CompTIA PenTest+ PT0-002 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
PT0-002
exam code
CompTIA
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related PT0-002 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

Refer to the exhibit. A penetration tester discovers this IAM policy attached to a public user role. Which attack is most likely to succeed?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::confidential-bucket/*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::confidential-bucket/*"
    }
  ]
}
Question 2easymultiple choice
Full question →

Refer to the exhibit. A penetration tester sends the request and receives the response shown. Which vulnerability is confirmed?

Exhibit

Refer to the exhibit.
GET /search?q=<script>alert('XSS')</script> HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0

HTTP/1.1 200 OK
Content-Type: text/html

<html><body>
  <p>You searched for: <script>alert('XSS')</script></p>
</body></html>
Question 3mediummultiple choice
Full question →

Refer to the exhibit. A penetration tester is reviewing a web server error log. Based on the log, what vulnerability does the tester suspect?

Exhibit

Refer to the exhibit.

[Sun Mar 13 12:00:00.123456 2024] [php:notice] [pid 1234] [client 192.168.1.5:54321] PHP Notice:  Undefined variable: username in /var/www/html/login.php on line 32
[Sun Mar 13 12:00:01.234567 2024] [php:warning] [pid 1234] [client 192.168.1.5:54321] PHP Warning:  mysqli_connect(): (HY000/1045): Access denied for user 'test'@'localhost' (using password: YES) in /var/www/html/db.php on line 8
Question 4hardmultiple choice
Full question →

Refer to the exhibit. A penetration tester reviews this S3 bucket policy. The bucket contains sensitive data. Which of the following best describes the security issue?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
Question 5hardmultiple choice
Full question →

Based on the exhibit, which host or network can SSH to 10.0.1.10?

Network Topology
DROP all0.0.0.0/0ACCEPT tcp192.168.1.0/24 10.0.1.10 tcp dpt:22ACCEPT all10.0.1.0/24Refer to the exhibit.```# iptables -L -nChain INPUT (policy ACCEPT)target prot opt source destination
Question 6mediummultiple choice
Full question →

Refer to the exhibit. During scoping, what risk does this policy pose?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::company-data/*"
    }
  ]
}
```
Question 7easymultiple choice
Review the full routing breakdown →

Refer to the exhibit. A penetration tester is scoping a test and needs to reach a host at 10.0.1.50. Through which interface will traffic be routed?

Exhibit

Refer to the exhibit.
```
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    100    0        0 eth0
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth1
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth2
```
Question 8mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A penetration tester obtains this output from a Linux server. The tester notes that port 3389 is typically used for RDP on Windows. Which of the following is the MOST likely explanation?

Exhibit

Active Connections
Proto  Local Address          Foreign Address        State
TCP    10.0.0.15:22          192.168.1.100:54321    ESTABLISHED
TCP    10.0.0.15:80          0.0.0.0:0              LISTENING
TCP    10.0.0.15:443         0.0.0.0:0              LISTENING
TCP    10.0.0.15:3389        203.0.113.50:12345     ESTABLISHED
UDP    10.0.0.15:123         *:*
Question 9hardmultiple choice
Full question →

Refer to the exhibit. A penetration tester used a vulnerability scanner and obtained the above result. What is the BEST way to represent this finding in the report to ensure the client can reproduce and fix it?

Exhibit

Refer to the exhibit.

Exhibit: Web application vulnerability scanner output
```
Vulnerability: SQL Injection
URL: https://example.com/search?q=test
Parameter: q
Payload: ' OR 1=1--
Evidence: Error message shows database version: Microsoft SQL Server 2016 (RTM)
Severity: Critical
```
Question 10easymultiple choice
Full question →

Refer to the exhibit. A penetration tester gained a Meterpreter session on a Windows server. Which of the following should the tester include in the report to provide the most actionable remediation advice?

Exhibit

Refer to the exhibit.

Exhibit: Metasploit session output
```
session -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer    : WIN-2K8R2
OS          : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture : x64
Meterpreter : x64/windows
```
Question 11mediummultiple choice
Full question →

Refer to the exhibit. A penetration tester performed an initial nmap scan and recorded the above output. The tester wants to include this in the report. What additional information should the tester add to make the finding more useful for remediation?

Exhibit

Refer to the exhibit.

Exhibit: NMAP scan output
```
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https
8080/tcp open     http-proxy
```
Question 12mediummultiple choice
Full question →

Based on the exhibit, which additional Nmap command should the tester run to gather the most useful information for a web application test?

Exhibit

Refer to the exhibit.

Output from a command:
```
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-15 14:22 PDT
Nmap scan report for 192.168.1.10
Host is up (0.0012s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy
MAC Address: 00:1A:2B:3C:4D:5E (Dell)

Nmap done: 1 IP address (1 host up) scanned in 2.34 seconds
```
Question 13hardmultiple choice
Full question →

Based on the exhibit, which tool would be most effective for exploiting this vulnerability?

Exhibit

Refer to the exhibit.

Error log from a web application:
```
[2024-03-15 14:25:12] Script: /var/www/html/search.php
Input: q=test' OR '1'='1
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'='1' at line 1
```
Question 14mediummultiple choice
Full question →

Refer to the exhibit. A penetration tester performed an Nmap scan of a target server and received the above output. The tester recalls that one of these services is associated with a well-known remote code execution vulnerability that can be exploited without authentication. Which service is most likely vulnerable?

Exhibit

Nmap scan report for 192.168.1.10
Host is up (0.0010s latency).
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds
Question 15hardmultiple choice
Full question →

Refer to the exhibit. A penetration tester is presenting this finding to a non-technical executive. Which improvement should be made to the description?

Exhibit

Vulnerability: SQL Injection on login.php
Risk: High
Impact: An attacker can extract data from the database.
Recommendation: Use parameterized queries.

These PT0-002 practice questions are part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style PT0-002 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.