Practice set
CompTIA PenTest+ PT0-002 questions
Question 1mediummultiple choice
Full question →A penetration tester is writing the executive summary for a report. The client's CEO needs to understand the business impact of a critical SQL injection vulnerability. Which of the following should the tester include?
Question 2mediummultiple choice
Full question →A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester discovers a binary with the SUID bit set that belongs to root and is known to have a buffer overflow vulnerability. What is the MOST effective next step to escalate privileges?
Question 3mediummulti select
Full question →A penetration tester is performing passive reconnaissance against a target domain. Which of the following resources can be used to gather information about the target without directly sending packets to the target's network? (Select two.) (Choose 2.)
Question 4hardmultiple choice
Full question →A penetration tester has obtained a TGT from a domain controller by cracking the krbtgt hash. Which attack can the tester now perform to gain persistent administrative access to any resource in the domain?
Question 5easymultiple choice
Full question →A penetration tester is writing the executive summary for the final report. The CEO needs to understand the overall risk level and the business impact of the findings. Which of the following should be included in the executive summary?
Question 6easymultiple choice
Full question →A penetration tester is writing the executive summary of a penetration test report. Which of the following elements is MOST important to include for a non-technical audience?
Question 7easymultiple choice
Full question →A penetration tester is writing the executive summary of a report for a client. The client's executive team needs to understand the overall risk posture. Which of the following should be included in the executive summary?
Question 8easymultiple choice
Full question →A penetration testing firm is hired to assess a client's web application that integrates with a third-party payment processor's API. The client wants to include the payment processor's API in the test scope. Which action should the tester take FIRST?
Question 9mediummultiple choice
Full question →A penetration tester is analyzing a Bash script that uses the tool 'curl' to send HTTP requests. The script contains the following line: curl -X POST -d "username=admin&password[$ne]=a" http://target/login. Which type of attack is this script most likely attempting?
Question 10easymultiple choice
Full question →A penetration tester is analyzing a Bash script used for post-exploitation enumeration. The script contains the line: `cat /etc/shadow | awk -F: '{print $1, $2}'`. What is the primary purpose of this command?
Question 11mediummultiple choice
Full question →A penetration tester is analyzing a PowerShell script that contains the following code: Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -like "* *"} | Select-Object Name, PathName, State What is the primary purpose of this script?
Question 12mediummultiple choice
Full question →A client review of a penetration test report reveals confusion about why a particular vulnerability exists. The client's security engineer wants to understand the root cause and the exact steps to reproduce the issue. Which section of the report should the tester point the engineer to?
Question 13mediummultiple choice
Full question →A penetration tester has completed the test and is writing the findings section. For a critical vulnerability, the tester wants to provide a clear and actionable remediation recommendation. Which of the following is the best practice for writing this recommendation?
Question 14mediummultiple choice
Full question →A client requests a penetration test that includes both their internal network and a third-party cloud service provider's infrastructure. The cloud provider has not given permission for testing. Which action should the penetration tester take regarding the cloud provider's assets?
Question 15easymultiple choice
Full question →A client wants to perform a penetration test on a new web application that is still in development. The application is not yet connected to the internet. Which of the following is the most appropriate scope for this test?
Question 16mediummultiple choice
Full question →A client requests a penetration test of a new mobile application that is still in development and only accessible on a test server behind the corporate VPN. The tester should include which of the following in the scope?
Question 17mediummultiple choice
Full question →A penetration tester has compromised a host and wants to move laterally to a server using pass-the-hash. Which of the following is required for a successful pass-the-hash attack against a Windows target?
Question 18mediummultiple choice
Full question →A penetration tester has obtained the NTLM hash of a local administrator account on a Windows domain-joined system. The tester wants to use this hash to authenticate to another system on the network and execute commands remotely. Which tool is commonly used for pass-the-hash attacks to achieve remote code execution?
Question 19mediummultiple choice
Full question →A client requests a penetration test of their internal network. During scoping, the tester learns that the client uses a managed security service provider (MSSP) that monitors all network traffic. The client does not want the MSSP to be informed about the test. What is the most appropriate action for the tester to take?
Question 20mediummultiple choice
Full question →A penetration tester has completed the test and is preparing the final report. The client requested a risk rating for each vulnerability. Which of the following frameworks is MOST commonly used to standardize vulnerability severity ratings in penetration testing reports?
Question 21hardmultiple choice
Full question →A penetration tester has exploited a web application and found that the server has an outbound firewall that restricts all outbound traffic except for DNS queries (UDP 53). The tester has a reverse shell payload that connects back on TCP 443. Which technique can the tester use to exfiltrate data or establish a channel?
Question 22mediummultiple choice
Full question →A penetration tester has gained access to a Windows domain and wants to perform a Kerberoasting attack. Which account privileges are required to request service tickets for Kerberoasting?
Question 23mediummultiple choice
Full question →A penetration tester is analyzing a Bash script that performs network scanning. The script contains the following command: 'for ip in $(seq 1 254); do hping3 -S -p 22 -c 1 $TARGET_SUBNET.$ip 2>/dev/null | grep -q "flags=SA" && echo "$TARGET_SUBNET.$ip: open"; done'. What is the primary purpose of this script?
Question 24mediummultiple choice
Full question →