CompTIA PT0-003 - CompTIA PenTest+ Exam

From the Nmap results:

Service Analysis:

SSH (22): Secure Shell is a remote access protocol that is typically well-secured with encryption and authentication mechanisms. It’s not the easiest to exploit without valid credentials or known vulnerabilities.

SMTP (25): The port is filtered, which indicates that it might be blocked by a firewall, making it less accessible as an attack vector.

RPCBind (111): RPC services can sometimes expose vulnerabilities, but they are less common in modern systems.

NFS (2049): Network File System is a file-sharing service. Misconfigured NFS servers often expose sensitive files or directories that can be accessed without proper authentication.

Best Target:NFS (port 2049) is the most attractive target. Attackers can exploit insecure exports, gain unauthorized access to shared directories, or elevate privileges if the server allows root access over NFS.

CompTIA Pentest+ References:

Domain 2.0 (Information Gathering and Vulnerability Identification)

Domain 3.0 (Attacks and Exploits)

To collect information over the network, especially during an internal assessment, tools that can capture and analyze network traffic are essential. Responder is specifically designed for this purpose, and it can capture NTLM hashes and other credentials by poisoning various network protocols. Here’s a breakdown of the options:

Option A: ntlmrelayx.py -t 192.168.1.0/24 -1 1234

ntlmrelayx.py is used for relaying NTLM authentication but not for broad network information collection.

Option B: nc -tulpn 1234 192.168.1.2

Netcat (nc) is a network utility for reading from and writing to network connections using TCP or UDP but is not specifically designed for comprehensive information collection over a network.

Option C: responder.py -I eth0 -wP

Responder is a tool for LLMNR, NBT-NS, and MDNS poisoning. The -I eth0 option specifies the network interface, and -wP enables WPAD rogue server which is effective for capturing network credentials and other information.

Option D: crackmapexec smb 192.168.1.0/24

CrackMapExec is useful for SMB-related enumeration and attacks but not specifically for broad network information collection.

References from Pentest:

Anubis HTB: Highlights the use of Responder to capture network credentials and hashes during internal assessments​​.

Horizontall HTB: Demonstrates the effectiveness of Responder in capturing and analyzing network traffic for further exploitation​​.

======

A screenshot of a computer Description automatically generated

A screenshot of a computer Description automatically generated

A screenshot of a computer Description automatically generated

To collect permission details for objects within an Active Directory domain, the PenTest+ workflow most closely aligns with using SharpHound (the BloodHound data collector) followed by BloodHound analysis. SharpHound is executed from a domain-joined or internally reachable system using a valid AD account to enumerate domain relationships, including group membership, sessions, local admin rights, and—most importantly for this question—object control and ACL-based permissions (for example, rights that allow modifying users, resetting passwords, adding group members, or controlling GPOs). BloodHound then imports this collected graph data and allows the tester to run Cypher queries to identify effective privileges, abuse paths, and misconfigurations that enable privilege escalation or lateral movement.

Rubeus is primarily focused on Kerberos ticket operations (TGT/TGS manipulation, roasting, delegation abuse) and is not a Cypher-query permission-mapping platform. CrackMapExec supports network/AD operations, but it is not the standard toolchain for graph-based permission path analysis described in PenTest+. Registry collection is unrelated to enumerating domain object permissions.

Covert Data Exfiltration:

DNS traffic can be leveraged for covert data exfiltration because it is often allowed through firewalls and not heavily monitored.

Tools or techniques for DNS tunneling encode sensitive information into DNS queries or responses, resulting in an observable increase in DNS traffic.

Why Not Other Options?

B (URL spidering): This increases HTTP traffic, not DNS traffic.

C (HTML scrapping): Involves downloading website content, which primarily uses HTTP or HTTPS.

D (DoS attack): A DNS-based DoS attack would likely involve query floods from many sources, not necessarily related to the observed behavior in a penetration test.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Covert Communication Techniques and DNS Tunneling

Discovering valid corporate email addresses during reconnaissance is a classic OSINT outcome that directly enables social engineering attacks, especially phishing and related credential-harvesting techniques. In the PenTest+ methodology, information gathered in reconnaissance is leveraged to obtain an initial foothold, often by targeting users with realistic, role-based lures (for example, “support” tickets, “sales” leads, or “admin” notifications). The primary risk created by exposed or easily discoverable email identities is that an attacker can use them to deliver malicious links, weaponized attachments, or impersonation-based requests that may result in credential compromise or malware execution, leading to unauthorized access to internal systems and the network.

The other options do not logically follow from the provided evidence: email enumeration alone does not demonstrate sensitive servers are internet-exposed, does not indicate SQL injection likelihood (which is tied to web input validation and testing), and does not prove a data breach—only that addresses exist or can be collected publicly. Therefore, the most appropriate risk to leverage next is unauthorized network access via phishing/social engineering.

RFID cloning involves copying data from an existing access card to create a duplicate badge. Attackers use tools like Proxmark3 or Flipper Zero to capture and replicate RFID signals.

Option A (Smurfing) ❌: A DDoS attack technique, unrelated to physical security.

Option B (Credential stuffing) ❌: Uses compromised usernames/passwords, not RFID badges.

Option C (RFID cloning) ✅: Correct. Creates a duplicate access badge using RFID technology.

Option D (Card skimming) ❌: Steals credit card data, but does not duplicate RFID badges.

📖 Reference: CompTIA PenTest+ PT0-003 Official Guide – Physical Security Testing & RFID Cloning

To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.

schtasks.exe:

Purpose: Used to create, delete, and manage scheduled tasks on Windows systems.

Persistence: By creating a scheduled task, the tester can ensure a script or program runs at a specified time, providing a persistent backdoor.

Example:

schtasks /create /tn " Backdoor " /tr " C:\path\to\backdoor.exe " /sc daily /ru SYSTEM

sc.exe:

Purpose: Service Control Manager command-line tool used to manage Windows services.

Persistence: By creating or modifying a service to run a malicious executable, the tester can maintain persistent access.

Example:

sc create backdoor binPath= " C:\path\to\backdoor.exe " start= auto

Other Utilities:

rundll.exe: Used to run DLLs as applications, not typically used for persistence.

cmd.exe: General command prompt, not specifically used for creating persistence mechanisms.

chgusr.exe: Used to change install mode for Remote Desktop Session Host, not relevant for persistence.

netsh.exe: Used for network configuration, not typically used for persistence.

Pentest References:

Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation.

Windows Tools: Understanding how to leverage built-in Windows tools like schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.

By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.

======

The correct answer is B. nc " $ip_address$i " " :22 "

Netcat, commonly invoked as nc, can be used to connect to a specific TCP port and read service banners. SSH servers commonly listen on TCP port 22 and usually return a banner such as:

SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8

This banner can help identify the SSH implementation and version, which may then be checked for known vulnerabilities.

A is incorrect because ping uses ICMP and does not connect to TCP port 22. The -c 22 option sends 22 ICMP echo requests; it does not perform SSH banner grabbing.

C is incorrect because arp is used to view or manipulate Address Resolution Protocol entries. It does not perform TCP port discovery or banner grabbing.

D is incorrect because curl scp://... attempts to use the SCP protocol and is not the best method for simple SSH port discovery and banner grabbing.

In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically service discovery and banner grabbing using tools other than Nmap.

Hidden form fields in web applications can store user roles, session tokens, and security parameters that attackers may exploit.

HTML scraping (Option D):

Involves analyzing HTML source code to find hidden fields like:

< input type= " hidden " name= " admin_access " value= " true " >

Attackers use tools like Burp Suite, ZAP, or browser developer tools (Ctrl+U or Inspect Element) to locate hidden fields.