Pass the CompTIA PenTest+ PT0-003 Questions and answers with CertsForce

A screenshot of a computer Description automatically generated

A screenshot of a computer screen Description automatically generated

Most likely vulnerability: Perform a SSRF attack against App01.example.com from CDN.example.com.

The scenario suggests that the CDN network (with a WAF) can be used to perform a Server-Side Request Forgery (SSRF) attack. Since the penetration tester has the pentester workstation interacting through the CDN/WAF and the production network is behind it, the most plausible attack vector is to exploit SSRF to interact with the internal services like App01.example.com.

Two best remediation options:

Restrict direct communications to App01.example.com to only approved components.

Require an additional authentication header value between CDN.example.com and App01.example.com.

Restrict direct communications to App01.example.com to only approved components: This limits the exposure of the application server by ensuring that only specified, trusted entities can communicate with it.

Require an additional authentication header value between CDN.example.com and App01.example.com: Adding an authentication layer between the CDN and the app server helps ensure that requests are legitimate and originate from trusted sources, mitigating SSRF and other indirect attack vectors.

Nmap Scan Observations:

CDN/WAF shows open ports for HTTP and HTTPS but filtered for MySQL, indicating it acts as a filtering layer.

App Server has open ports for HTTP, HTTPS, and filtered for MySQL.

DB Server has all ports filtered, typical for a database server that should not be directly accessible.

These findings align with the SSRF vulnerability and the appropriate remediation steps to enhance the security of internal communications.

Spear phishing is a targeted email attack aimed at specific individuals within an organization. Unlike general phishing, spear phishing is personalized and often involves extensive reconnaissance to increase the likelihood of success.

Understanding Spear Phishing:

Targeted Attack: Focuses on specific individuals or groups within an organization.

Customization: Emails are customized based on the recipient ' s role, interests, or recent activities.

Purpose:

Testing Security Awareness: Evaluates how well individuals recognize and respond to phishing attempts.

Information Gathering: Attempts to collect sensitive information such as credentials, financial data, or personal details.

Process:

Reconnaissance: Gather information about the target through social media, public records, and other sources.

Email Crafting: Create a convincing email that appears to come from a trusted source.

Delivery and Monitoring: Send the email and monitor for responses or actions taken by the recipient.

References from Pentesting Literature:

Spear phishing is highlighted in penetration testing methodologies for testing security awareness and the effectiveness of email filtering systems.

HTB write-ups and phishing simulation exercises often detail the use of spear phishing to assess organizational security.

Step-by-Step ExplanationReferences:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

======

Port 445 is used for SMB (Server Message Block) services, which are commonly targeted for hash-based relay attacks like NTLM relay attacks.

Understanding Hash-Based Relays:

NTLM Relay Attack: An attacker intercepts and relays NTLM authentication requests to another service, effectively performing authentication on behalf of the victim.

SMB Protocol: Port 445 is used for SMB/CIFS traffic, which supports NTLM authentication.

Prioritizing Port 445:

Vulnerability: SMB is often targeted because it frequently supports NTLM authentication, making it susceptible to relay attacks.

Tools: Tools like Responder and NTLMRelayX are commonly used to capture and relay NTLM hashes over SMB.

Execution:

Capture Hash: Use a tool like Responder to capture NTLM hashes.

Relay Hash: Use a tool like NTLMRelayX to relay the captured hash to another service on port 445.

References from Pentesting Literature:

Penetration testing guides frequently discuss targeting SMB (port 445) for hash-based relay attacks.

HTB write-ups often include examples of NTLM relay attacks using port 445.

Step-by-Step ExplanationReferences:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

======

In an authorized physical assessment, the goal is to test physical security controls. Tailgating is a common and effective technique in such scenarios. Here’s why option B is correct:

Tailgating: This involves following an authorized person into a secure area without proper credentials. During busy times, it’s easier to blend in and gain access without being noticed. It tests the effectiveness of physical access controls and security personnel.

Cloning Badge Information: This can be effective but requires proximity to employees and specialized equipment, making it more complex and time-consuming.

Picking Locks: This is a more invasive technique that carries higher risk and is less stealthy compared to tailgating.

Dropping USB Devices: This tests employee awareness and response to malicious devices but does not directly test physical access controls.

References from Pentest:

Writeup HTB: Demonstrates the effectiveness of social engineering and tailgating techniques in bypassing physical security measures​​.

Forge HTB: Highlights the use of non-invasive methods like tailgating to test physical security without causing damage or raising alarms​​.

Conclusion:

Option B, tailgating into the facility during a busy time, is the best attack plan to gain access to the facility in an authorized physical assessment.

======

Un access control vestibule (también conocido como mantrap) es una estructura de seguridad que permite que solo una persona entre a la vez a través de dos puertas controladas. Este tipo de estructura está diseñada específicamente para evitar tailgating, donde una persona no autorizada intenta entrar siguiendo a una autorizada.

No previene ataques como la clonación de credenciales (badge cloning), ni el uso de USB maliciosos, ni técnicas de lock picking.

Referencia: PT0-003 Objective 2.1 – Physical security controls, including mantraps and their use against tailgating.

Capturing plaintext credentials in network traffic is done using packet sniffing. Wireshark is the best tool for this task.

Option A (Burp Suite) ❌: Used for web application testing and intercepting HTTPS traffic, but not general network sniffing.

Option B (Wireshark) ✅: Correct.

Wireshark is a packet analysis tool that captures unencrypted network traffic, including plaintext credentials.

Option C (ZAP - Zed Attack Proxy) ❌: Similar to Burp Suite, but focused on web application security, not network packet capture.

Option D (Metasploit) ❌: Metasploit is used for exploitation rather than capturing traffic.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Packet Sniffing & Network Traffic Analysis

The command creates a scheduled task that executes a reverse shell payload at logon, ensuring persistence.

Option A (Enumerate tasks) ❌: This command creates a task, not lists tasks (schtasks /query is used for enumeration).

Option B (Establish persistence) ✅: Correct.

The attacker ensures a reverse shell opens every time a user logs in.

Option C (Deactivate Windows Update) ❌: The task is named " Windows Update " but does not disable updates.

Option D (Create a Windows Update binary) ❌: This executes a reverse shell, not a system update.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Windows Persistence Techniques

Upon discovering evidence of an advanced persistent threat (APT) on the network, the penetration tester should report the finding immediately.

Advanced Persistent Threat (APT):

Definition: APTs are prolonged and targeted cyberattacks in which an intruder gains access to a network and remains undetected for an extended period.

Significance: APTs often involve sophisticated tactics, techniques, and procedures (TTPs) aimed at stealing data or causing disruption.

Immediate Reporting:

Criticality: Discovering an APT requires immediate attention from the organization’s security team due to the potential impact and persistence of the threat.

Chain of Command: Following the protocol for reporting such findings ensures that appropriate incident response measures are initiated promptly.

Other Actions:

Analyzing the Finding: While analysis is important, it should be conducted by the incident response team after reporting.

Removing the Threat: This action should be taken by the organization’s security team following established incident response procedures.

Documenting and Continuing Testing: Documentation is crucial, but the immediate priority should be reporting the APT to ensure prompt action.

Pentest References:

Incident Response: Understanding the importance of immediate reporting and collaboration with the organization’s security team upon discovering critical threats like APTs.

Ethical Responsibility: Following ethical guidelines and protocols to ensure the organization can respond effectively to significant threats.

By reporting the finding immediately, the penetration tester ensures that the organization’s security team is alerted to the presence of an APT, allowing them to initiate an appropriate incident response.

======

Shodan is a search engine that specializes in finding internet-connected devices, including ICS, IoT, webcams, routers, and servers. Attackers and security professionals use Shodan to scan for publicly accessible systems that may be vulnerable.

Option A (theHarvester) ❌: theHarvester is primarily used for OSINT (Open-Source Intelligence) gathering, such as email addresses, subdomains, and hostnames, but it does not specialize in ICS/IoT discovery.

Option B (Shodan) ✅: Correct. Shodan scans the internet for connected devices and services, allowing penetration testers to find ICS/IoT systems that are exposed.

Option C (Amass) ❌: Amass is used for subdomain enumeration and DNS reconnaissance, not for ICS or IoT discovery.

Option D (Nmap) ❌: Nmap is a port scanner that can identify live hosts and open ports, but it does not search for publicly available systems on a large scale like Shodan.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – OSINT and Reconnaissance

The correct answer is C. Maintains access into the compromised computer

The command uses schtasks to create a Windows scheduled task named Updates. The task is configured to run PowerShell and download/execute code from http://10.10.1.2/asd. The schedule option /sc onlogon means the task runs when a user logs on, and /ru System attempts to run it under the SYSTEM account.

This is a persistence technique. By creating a scheduled task that runs at logon, the tester can regain or maintain access after the initial shell is lost, the system reboots, or a user logs back in.

A is incorrect because the command does not directly upgrade the shell or exploit a privilege escalation vulnerability. It creates a scheduled task for recurring execution.

B is incorrect because the task is named Updates, but it is not actually using the Windows Update service.

D is incorrect because the command downloads and executes content from 10.10.1.2; it does not configure traffic forwarding or tunneling.

In PenTest+ terms, this falls under Attacks and Exploits, specifically post-exploitation persistence using Windows scheduled tasks.