CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 101:

  A penetration tester opened a reverse shell on a Linux web server and successfully escalated privileges to root. During the engagement, the tester noticed that another user logged in frequently as root to perform work tasks. To avoid disrupting this user's work, which of the following is the BEST option for the penetration tester to maintain root-level persistence on this server during the test?

  A. Add a web shell to the root of the website.

  B. Upgrade the reverse shell to a true TTY terminal.

  C. Add a new user with ID 0 to the /etc/passwd file.

  D. Change the password of the root user and revert after the test.

  Correct Answer: C

  The best option for the penetration tester to maintain root-level persistence on this server during the test is to add a new user with ID 0 to the /etc/passwd file. This will allow the penetration tester to use the same user account as the other user, but with root privileges, meaning that it won't disrupt the other user's work. This can be done by adding a new line with the username and the numerical user ID 0 to the /etc/passwd file. For example, if the username for the other user is "johndoe", the line to add would be "johndoe:x:0:0:John Doe:/root:/bin/bash". After the user is added, the penetration tester can use the "su" command to switch to the new user and gain root privileges.

• Question 102:

  A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee's birthday, the tester gave the employee an external hard drive as a gift. Which of the following social-engineering attacks was the tester utilizing?

  A. Phishing

  B. Tailgating

  C. Baiting

  D. Shoulder surfing

  Correct Answer: C

  Reference: https://phoenixnap.com/blog/what-is-social-engineering-types-of-threats

• Question 103:

  A penetration tester was able to gain access successfully to a Windows workstation on a mobile client's laptop. Which of the following can be used to ensure the tester is able to maintain access to the system?

  A. schtasks /create /sc /ONSTART /tr C:\Temp\WindowsUpdate.exe

  B. wmic startup get caption,command

  C. crontab –l; echo “@reboot sleep 200 andand ncat –lvp 4242 –e /bin/bash”) | crontab 2>/dev/null

  D. sudo useradd –ou 0 –g 0 user

  Correct Answer: A

• Question 104:

  A penetration tester managed to exploit a vulnerability using the following payload:

  IF (1=1) WAIT FOR DELAY '0:0:15'

  Which of the following actions would best mitigate this type ol attack?

  A. Encrypting passwords

  B. Parameterizing queries

  C. Encoding output

  D. Sanitizing HTML

  Correct Answer: B

  The payload used by the penetration tester is a type of blind SQL injection attack that delays the response of the database by 15 seconds if the condition is true. This can be used to extract information from the database by asking a series of true or false questions. To prevent this type of attack, the best practice is to use parameterized queries, which separate the user input from the SQL statement and prevent the injection of malicious code. Encrypting passwords, encoding output, and sanitizing HTML are also good security measures, but they do not directly address the SQL injection vulnerability. References: The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 5: Attacks and Exploits, Section 5.2: Perform Network Attacks, Subsection: SQL Injection, p. 235-237 Blind SQL Injection | OWASP Foundation, Description and Examples sections Time-Based Blind SQL Injection Attacks, Introduction and Microsoft SQL Server sections

• Question 105:

  During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited?

  A. Command injection

  B. Broken authentication

  C. Direct object reference

  D. Cross-site scripting

  Correct Answer: C

  Insecure direct object reference (IDOR) is a vulnerability where the developer of the application does not implement authorization features to verify that someone accessing data on the site is allowed to access that data.

• Question 106:

  Which of the following expressions in Python increase a variable val by one (Choose two.)

  A. val++

  B. +val

  C. val=(val+1)

  D. ++val

  E. val=val++

  F. val+=1

  Correct Answer: CF

  In Python, there are two ways to increase a variable by one: using the assignment operator (=) with an arithmetic expression, or using the augmented assignment operator (+=). The expressions val=(val+1) and val+=1 both achieve this goal. The expressions val++ and ++val are not valid in Python, as there is no increment operator. The expressions +val and val=val++ do not change the value of val2. https://pythonguides.com/increment-and-decrement-operators-in-python/

• Question 107:

  A security firm has been hired to perform an external penetration test against a company. The only information the firm received was the company name. Which of the following passive reconnaissance approaches would be MOST likely to yield positive initial results?

  A. Specially craft and deploy phishing emails to key company leaders.

  B. Run a vulnerability scan against the company's external website.

  C. Runtime the company's vendor/supply chain.

  D. Scrape web presences and social-networking sites.

  Correct Answer: D

• Question 108:

  Deconfliction is necessary when the penetration test:

  A. determines that proprietary information is being stored in cleartext.

  B. occurs during the monthly vulnerability scanning.

  C. uncovers indicators of prior compromise over the course of the assessment.

  D. proceeds in parallel with a criminal digital forensic investigation.

  Correct Answer: C

  This will then enable the PenTest to continue so that additional issues can be found, exploited, and analyzed.

• Question 109:

  A penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server. Which of the following log files will show this activity?

  A. /var/log/messages

  B. /var/log/last_user

  C. /var/log/user_log

  D. /var/log/lastlog

  Correct Answer: D

  The /var/log/lastlog file is a log file that stores information about the last user to sign in to the server. This file stores information such as the username, IP address, and timestamp of the last user to sign in to the server. It can be used by a penetration tester to determine the identity of the last user who signed in to the web server, which can be helpful in identifying the user who may have set up the backdoors and other malicious activities.

• Question 110:

  During a vulnerability scan a penetration tester enters the following Nmap command against all of the non-Windows clients:

  nmap -sX -T4 -p 21-25, 67, 80, 139, 8080 192.168.11.191

  The penetration tester reviews the packet capture in Wireshark and notices that the target responds with an RST packet flag set for all of the targeted ports. Which of the following does this information most likely indicate?

  A. All of the ports in the target range are closed.

  B. Nmap needs more time to scan the ports in the target range.

  C. The ports in the target range cannot be scanned because they are common UDP ports.

  D. All of the ports in the target range are open

  Correct Answer: A

  The Nmap command uses the Xmas scan technique, which sends packets with the FIN, PSH, and URG flags set. This is an attempt to bypass firewall rules and elicit a response from open ports. However, if the target responds with an RST packet, it means that the port is closed. Open ports will either ignore the Xmas scan packets or send back an ACK packet. Therefore, the information most likely indicates that all of the ports in the target range are closed. References: [Nmap Scan Types], [Nmap Port Scanning Techniques], [CompTIA PenTest+ Study Guide: Exam PT0-002, Chapter 4: Conducting Passive Reconnaissance, page 127]