CompTIA CompTIA Certifications PT0-003 Questions & Answers

• Question 221:

  SIMULATION A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets. INSTRUCTIONS Select the appropriate answer(s), given the output from each section. Output 1

  

  

  A. Check the answer in explanation.

  Correct Answer:

  Answer: See all the solutions below in Explanation.

  

• Question 222:

  SIMULATION

  Using the output, identify potential attack vectors that should be further investigated.

  

  

  

  A. See explanation below.

  B. PlaceHolder

  C. PlaceHolder

  D. PlaceHolder

  Correct Answer: A

  1: Null session enumeration

  Weak SMB file permissions

  Fragmentation attack

  2: nmap

  -sV

  -p 1-1023

  192.168.2.2

  3: #!/usr/bin/python

  export $PORTS = 21,22

  for $PORT in $PORTS:

  try:

  s.connect((ip, port))

  print("%s:%s ?OPEN" % (ip, port))

  except socket.timeout

  print("%:%s ?TIMEOUT" % (ip, port))

  except socket.error as e:

  print("%:%s ?CLOSED" % (ip, port))

  finally

  s.close()

  port_scan(sys.argv[1], ports)

• Question 223:

  SIMULATION

  A previous penetration test report identified a host with vulnerabilities that was successfully exploited. Management has requested that an internal member of the security team reassess the host to determine if the vulnerability still exists.

  

  Part 1:

  Analyze the output and select the command to exploit the vulnerable service.

  Part 2:

  Analyze the output from each command.

  Select the appropriate set of commands to escalate privileges.

  Identify which remediation steps should be taken.

  

  A. See the below for complete solution.

  B. PlaceHolder

  C. PlaceHolder

  D. PlaceHolder

  Correct Answer: A

  The command that would most likely exploit the services is:

  hydra -l lowpriv -P 500-worst-passwords.txt -t 4 ssh://192.168.10.2:22

  The appropriate set of commands to escalate privileges is:

  echo "root2:5ZOYXRFHVZ7OY::0:0:root:/root:/bin/bash" >> /etc/passwd

  The remediations that should be taken after the successful privilege escalation are:

  Remove the SUID bit from cp.

  Make backup script not world-writable.

  Comprehensive Step-by-Step of the Simulation Part 1: Exploiting Vulnerable Service

  Nmap Scan Analysis

  bash

  Copy code

  Port State Service

  22/tcp open ssh

  23/tcp closed telnet

  80/tcp open http

  111/tcp closed rpcbind

  445/tcp open samba

  3389/tcp closed rdp

  Ports open are SSH (22), HTTP (80), and Samba (445).

  Enumerating Samba Shares

  makefile

  Copy code

  user:[games] rid:[0x3f2]

  user:[nobody] rid:[0x1f5]

  user:[bind] rid:[0x4ba]

  user:[proxy] rid:[0x42]

  user:[syslog] rid:[0x4ba]

  user:[www-data] rid:[0x42a]

  user:[root] rid:[0x3e8]

  user:[news] rid:[0x3fa]

  user:[lowpriv] rid:[0x3fa]

  We identify a user lowpriv.

  Selecting Exploit Command

  Executing the Hydra Command

  Part 2: Privilege Escalation and Remediation

  Finding SUID Binaries and Configuration Files

  Selecting Privilege Escalation Command

  Executing the Privilege Escalation Command

  Remediation Steps Post-Exploitation

  Execution and Verification

  Verifying Hydra Attack:

  Verifying Privilege Escalation:

  Implementing Remediation:

  By following these detailed steps, one can replicate the simulation and ensure a thorough understanding of both the exploitation and the necessary remediations.

• Question 224:

  SIMULATION

  A penetration tester performs several Nmap scans against the web application for a client.

  INSTRUCTIONS

  Click on the WAF and servers to review the results of the Nmap scans. Then click on each tab to select the appropriate vulnerability and remediation options.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  

  A. See the explanation part for detailed solution.

  B. PlaceHolder

  C. PlaceHolder

  D. PlaceHolder

  Correct Answer: A

  A screenshot of

  a computer

  A screenshot of

  a computer screen

  Most likely vulnerability: Perform a SSRF attack against App01.example.com from CDN.example.com.

  The scenario suggests that the CDN network (with a WAF) can be used to perform a Server-Side Request Forgery (SSRF) attack. Since the penetration tester has the pentester workstation interacting through the CDN/WAF and the

  production network is behind it, the most plausible attack vector is to exploit SSRF to interact with the internal services like App01.example.com.

  Two best remediation options:

  Restrict direct communications to App01.example.com to only approved components.

  Require an additional authentication header value between CDN.example.com and App01.example.com.

  Restrict direct communications to App01.example.com to only approved components: This limits the exposure of the application server by ensuring that only specified, trusted entities can communicate with it. Require an additional

  authentication header value between CDN.example.com and App01.example.com: Adding an authentication layer between the CDN and the app server helps ensure that requests are legitimate and originate from trusted sources, mitigating

  SSRF and other indirect attack vectors.

  Nmap Scan Observations:

  CDN/WAF shows open ports for HTTP and HTTPS but filtered for MySQL, indicating it acts as a filtering layer.

  App Server has open ports for HTTP, HTTPS, and filtered for MySQL. DB Server has all ports filtered, typical for a database server that should not be directly accessible.

  These findings align with the SSRF vulnerability and the appropriate remediation steps to enhance the security of internal communications.

• Question 225:

  DRAG DROP

  You are a penetration tester reviewing a client's website through a web browser.

  INSTRUCTIONS

  Review all components of the website through the browser to determine if vulnerabilities are present.

  Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  

  Select and Place:

  

  Correct Answer:

  

• Question 226:

  Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based on the character sets represented Each password may be used only once.

  Select and Place:

  

  Correct Answer:

  

• Question 227:

  A manager calls upon a tester to assist with diagnosing an issue within the following:

  Python script: #!/usr/bin/python s = “Administrator”

  The tester suspects it is an issue with string slicing and manipulation Analyze the following code segment and drag and drop the correct output for each string manipulation to its corresponding code segment Options may be used once or not at all.

  Select and Place:

  

  Correct Answer:

  

• Question 228:

  DRAG DROP

  A technician is reviewing the following report. Given this information, identify which vulnerability can be definitively confirmed to be a false positive by dragging the “false positive” token to the “Confirmed” column for each vulnerability that is a false positive.

  Select and Place:

  

  Correct Answer:

  

• Question 229:

  DRAG DROP

  Instructions:

  Analyze the code segments to determine which sections are needed to complete a port scanning script. Drag the appropriate elements into the correct locations to complete the script.

  If at any time you would like to bring back the initial state of the simulation, please click the reset all button.

  During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

  Select and Place:

  

  Correct Answer:

  

• Question 230:

  HOTSPOT

  A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

  INSTRUCTIONS

  Select the tool the penetration tester should use for further investigation.

  Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  Hot Area:

  

  Correct Answer:

  

  Explanation:

  The tool the penetration tester should use for the further investigation is WPScan The two entries in the robots.txt file that the penetration tester should recommend for removal are 14 Allow: /admin 15 Allow: /wp-admin