CompTIA PT0-003 - CompTIA PenTest+ Exam

La técnica utilizada en este escenario es Shoulder Surfing, que consiste en observar directamente a una persona mientras trabaja, con el objetivo de recopilar información sensible, como credenciales, direcciones URL internas u otros datos confidenciales.

En este caso, el pentester siguió a los miembros del equipo DevOps durante sus desplazamientos (commute) y logró identificar una URL interna. No se usó ingeniería social directa (como en spear phishing), ni acceso físico no autorizado (como en tailgating), ni revisión de basura (dumpster diving).

Referencia: PT0-003 Objective 2.1 - Explain the importance of physical security assessments. Shoulder surfing is listed as a key social engineering technique.

The tester is attempting to register a malicious DLL as a server-level plugin to escalate privileges.

Privilege escalation (Option B):

The command uses dnscmd.exe, a legitimate Windows tool for managing DNS servers.

By setting a malicious DLL (adduser.dll) as a server-level plugin, attackers can gain SYSTEM-level privileges.

This technique is a DLL hijacking attack.

The Nmap Scripting Engine (NSE) best supports automated enumeration of permitted TLS/SSL ciphers across many targets because it enables repeatable, script-driven service interrogation during scanning. In PenTest+ vulnerability scanning and enumeration tasks, Nmap is used not only for port/service discovery but also for deeper service assessment using scripts such as those that enumerate SSL/TLS protocol versions and the cipher suites a server will negotiate. This directly matches the requirement to “automatically enumerate all ciphers permitted” on both internet-facing and internal web servers, since Nmap can be pointed at IP ranges and host lists and run the same TLS enumeration consistently across the environment, producing comparable results for analysis and reporting.

Shodan is primarily an external internet-wide search engine and is not suitable for internal-only hosts and controlled, comprehensive enumeration. Impacket targets Windows/AD and network protocol operations rather than TLS cipher auditing. Netcat can connect to services but does not provide scalable, structured cipher enumeration. Burp Suite is excellent for web application testing, but it is not the most direct or scalable choice for environment-wide TLS cipher inventory compared to scripted Nmap scanning.

MAC address spoofing involves changing the MAC address of a network interface to mimic another device on the network. This technique is often used to bypass network access controls and gain unauthorized access to a network.

Understanding MAC Address Spoofing:

MAC Address: A unique identifier assigned to network interfaces for communication on the physical network segment.

Spoofing: Changing the MAC address to a different one, typically that of an authorized device, to gain access to restricted networks.

Purpose:

Bypassing Access Controls: Gain access to networks that use MAC address filtering as a security measure.

Impersonation: Assume the identity of another device on the network to intercept traffic or access network resources.

Tools and Techniques:

Linux Command: Use the ifconfig or ip command to change the MAC address.

Step-by-Step Explanationifconfig eth0 hw ether 00:11:22:33:44:55

Tools: Tools like macchanger can automate the process of changing MAC addresses.

Impact:

Network Access: Gain unauthorized access to networks and network resources.

Interception: Capture traffic intended for another device, potentially leading to data theft or further exploitation.

Detection and Mitigation:

Monitoring: Use network monitoring tools to detect changes in MAC addresses.

Secure Configuration: Implement port security on switches to restrict which MAC addresses can connect to specific ports.

References from Pentesting Literature:

MAC address spoofing is a common technique discussed in wireless and network security chapters of penetration testing guides.

HTB write-ups often include examples of using MAC address spoofing to bypass network access controls and gain unauthorized access.

To maintain access to a compromised system after rebooting, a penetration tester should create a scheduled task. Scheduled tasks are designed to run automatically at specified times or when certain conditions are met, ensuring persistence across reboots.

Persistence Mechanisms:

Scheduled Task: Creating a scheduled task ensures that a specific program or script runs automatically according to a set schedule or in response to certain events, including system startup. This makes it a reliable method for maintaining access after a system reboot.

Reverse Shell: While establishing a reverse shell provides immediate access, it typically does not survive a system reboot unless coupled with another persistence mechanism.

Process Injection: Injecting a malicious process into another running process can provide stealthy access but may not persist through reboots.

Credential Dumping: Dumping credentials allows for re-access by using stolen credentials, but it does not ensure automatic access upon reboot.

Creating a Scheduled Task:

On Windows, the schtasks command can be used to create scheduled tasks. For example:

schtasks /create /tn " Persistence " /tr " C:\path\to\malicious.exe " /sc onlogon /ru SYSTEM

On Linux, a cron job can be created by editing the crontab:

(crontab -l; echo " @reboot /path/to/malicious.sh " ) | crontab -

Pentest References:

Maintaining persistence is a key objective in post-exploitation. Scheduled tasks (Windows Task Scheduler) and cron jobs (Linux) are commonly used techniques.

References to real-world scenarios include creating scheduled tasks to execute malware, keyloggers, or reverse shells automatically on system startup.

By creating a scheduled task, the penetration tester ensures that their access method (e.g., reverse shell, malware) is executed automatically whenever the system reboots, providing reliable persistence.

======

A screenshot of a computer Description automatically generated

A screenshot of a computer screen Description automatically generated

Most likely vulnerability: Perform a SSRF attack against App01.example.com from CDN.example.com.

The scenario suggests that the CDN network (with a WAF) can be used to perform a Server-Side Request Forgery (SSRF) attack. Since the penetration tester has the pentester workstation interacting through the CDN/WAF and the production network is behind it, the most plausible attack vector is to exploit SSRF to interact with the internal services like App01.example.com.

Two best remediation options:

Restrict direct communications to App01.example.com to only approved components.

Require an additional authentication header value between CDN.example.com and App01.example.com.

Restrict direct communications to App01.example.com to only approved components: This limits the exposure of the application server by ensuring that only specified, trusted entities can communicate with it.

Require an additional authentication header value between CDN.example.com and App01.example.com: Adding an authentication layer between the CDN and the app server helps ensure that requests are legitimate and originate from trusted sources, mitigating SSRF and other indirect attack vectors.

Nmap Scan Observations:

CDN/WAF shows open ports for HTTP and HTTPS but filtered for MySQL, indicating it acts as a filtering layer.

App Server has open ports for HTTP, HTTPS, and filtered for MySQL.

DB Server has all ports filtered, typical for a database server that should not be directly accessible.

These findings align with the SSRF vulnerability and the appropriate remediation steps to enhance the security of internal communications.

The tester’s activity involves analyzing the contents of a JAR file to identify potentially vulnerable components. This process is known as Software Composition Analysis (SCA). Here’s why:

Understanding SCA:

Definition: SCA involves analyzing software to identify third-party and open-source components, checking for known vulnerabilities, and ensuring license compliance.

Purpose: To detect and manage risks associated with third-party software components.

Comparison with Other Terms:

SAST (A): Static Application Security Testing involves analyzing source code for security vulnerabilities without executing the code.

SBOM (B): Software Bill of Materials is a detailed list of all components in a software product, often used in SCA but not the analysis itself.

ICS (C): Industrial Control Systems, not relevant to the context of software analysis.

The tester’s activity of examining a JAR file for vulnerable components aligns with SCA, making it the correct answer.

======

Windows provides built-in utilities for user enumeration and privilege escalation.

net command (Option C):

The net command is used to list users, groups, and shares on a Windows system:

net user

net localgroup administrators

net group " Domain Admins " /domain

Useful for gathering privilege escalation targets and understanding user permissions.

A reverse shell that is left on a target to maintain access is a form of persistence/backdoor. The action described — removing the reverse shell at the end of the engagement — is specifically the removal of a persistence mechanism. Post-engagement cleanup requires removal of any artifacts that provide continued access (web shells, scheduled tasks, reverse shells, cron jobs, created accounts, etc.) so the environment is returned to its pre-test state and to prevent later compromise.

Why not the others:

B (Uninstalling tools): Removing tools is also a cleanup activity, but the question explicitly references removing the reverse shell (persistence).

C (Preserving artifacts): Preserving artifacts is the opposite (saving logs/evidence) for incident response — not removing access.

D (Reverting configuration changes): Important, but the best single match for removing a reverse shell is “removing persistence mechanisms.”

PT0-003 mapping: Domain 5 — post-engagement cleanup and returning environment to baseline.

WiGLE.net is the best choice because it is purpose-built for identifying and mapping wireless networks (SSIDs/BSSIDs) using aggregated wardriving-style data and location-based search. In PenTest+ reconnaissance, testers often need to quickly determine what wireless networks are present in or around a physical location—especially when assessing how corporate mobile devices might encounter nearby SSIDs that could be abused for evil-twin or misassociation scenarios. WiGLE helps identify networks by area and provides details that support follow-on testing decisions, such as which SSIDs are common, whether naming patterns suggest corporate ownership, and whether nearby networks could confuse users or devices.

Wireshark is a packet analyzer and requires traffic capture; it is not a discovery database for “what networks exist” in a geographic area. theHarvester and Recon-ng are OSINT tools oriented toward emails, domains, hosts, and identity data—not local wireless network identification. For the stated goal of identifying available Wi-Fi networks for mobile-device exposure assessment, WiGLE.net most directly fits the objective.