CompTIA PT0-003 - CompTIA PenTest+ Exam

The correct answer is C. Session hijacking

The cookie value is only Base64 encoded, not encrypted or cryptographically protected. When decoded, it reveals a username and a numeric value:

Pentestuser:91536

After logging in again, the numeric value changes:

Pentestuser:91944

This strongly suggests the application may be storing a session identifier or authentication token in a predictable or weakly protected format. A penetration tester would most likely test whether the session value can be guessed, reused, modified, or replayed to take over another user’s session. That type of attack is session hijacking.

A is incorrect because a collision attack involves finding two different inputs that produce the same hash value. This scenario does not involve hash collision testing.

B is incorrect because JWT manipulation applies to JSON Web Tokens, which typically have three Base64URL-encoded sections separated by periods, such as header.payload.signature. The cookie shown is not a JWT.

D is incorrect because insecure direct object reference involves manipulating object identifiers, such as account IDs, invoice numbers, or file IDs, to access unauthorized resources. The issue here is related to authentication/session handling, not direct object access.

In PenTest+ terms, this falls under Attacks and Exploits, specifically web application attacks involving weak session management, predictable session tokens, and session hijacking.

Watering Hole Attack Explanation:

A watering hole attack involves compromising a website that the target frequently visits.

The attacker injects malicious code into the site, which then exploits users who access it.

Why Not Other Options?

B: DDoS attacks disrupt services but do not align with the watering hole strategy.

C: Social engineering may be effective but is not a watering hole attack.

D: Phishing is unrelated to compromising trusted websites.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

A template ensures consistency across reports by defining the required sections (scope, methodology, findings, risk ratings, remediation, evidence, executive summary, and appendices). Standardization helps reviewers and clients quickly find required information, supports quality assurance, and ensures compliance with contractual/reporting requirements. While templates also help articulate risks and contextualize data (A and C) and may indirectly save time (E), their primary purpose is to standardize needed information so every engagement includes the same baseline content and structure.

CompTIA PT0-003 Mapping:

Domain 5.0 Reporting and Communication — produce consistent, repeatable reports and use templates to ensure completeness and QA.

By default, Nmap scans the top 1,000 most commonly used TCP ports unless otherwise specified.

Option A (256) ❌: Incorrect. This refers to the number of hosts in a /24 subnet, not the number of ports scanned.

Option B (1,000) ✅: Correct. Nmap defaults to scanning the 1,000 most common TCP ports unless the -p flag is used to specify a different range.

Option C (1,024) ❌: Incorrect. The first 1,024 ports are well-known ports, but Nmap scans 1,000 by default, not 1,024.

Option D (65,535) ❌: Incorrect. Nmap only scans all ports if the -p- flag is used (e.g., nmap -p- < target > ).

📖 Reference: CompTIA PenTest+ PT0-003 Official Guide – Network Scanning with Nmap

Based on the findings, the focus should be on addressing vulnerabilities in libraries and ensuring their security. Here’s why options D and E are correct:

Implement an SCA Tool:

SCA (Software Composition Analysis) tools are designed to analyze and manage open-source components in an application. Implementing an SCA tool would help in identifying and managing vulnerabilities in libraries, aligning with the finding of vulnerable libraries in the secure SDLC process.

This recommendation addresses the high-risk finding related to the Secure SDLC by providing a systematic approach to manage and mitigate vulnerabilities in software dependencies.

Obtain the Latest Library Version:

Keeping libraries up to date is a fundamental practice in maintaining the security of an application. Ensuring that the latest, most secure versions of libraries are used directly addresses the high-risk finding related to vulnerable libraries.

This recommendation is a direct and immediate action to mitigate the identified vulnerabilities.

Other Options Analysis:

Develop a Secure Encryption Algorithm: This is not practical or necessary given that the issue is with the use of a weak algorithm, not the need to develop a new one.

Deploy an Asset Management System: While useful, this is not directly related to the identified high-risk issue of vulnerable libraries.

Write an SDLC Policy: While helpful, the more immediate and effective actions involve implementing tools and processes to manage and update libraries.

References from Pentest:

Horizontall HTB: Demonstrates the importance of managing software dependencies and using tools to identify and mitigate vulnerabilities in libraries​​.

Writeup HTB: Highlights the need for keeping libraries updated to ensure application security and mitigate risks​​.

Conclusion:

Options D and E, implementing an SCA tool and obtaining the latest library version, are the most appropriate recommendations to address the high-risk finding related to vulnerable libraries in the Secure SDLC process.

======

Since SSID broadcast might be hidden, channel scanning allows the tester to identify active Wi-Fi networks.

Option A (Sidecar scanning) ❌: Not a recognized Wi-Fi testing method.

Option B (Channel scanning) ✅: Correct.

Identifies hidden SSIDs by monitoring probe requests and responses.

Option C (Stealth scanning) ❌: Typically refers to evading detection, not Wi-Fi analysis.

Option D (Static analysis scanning) ❌: Static analysis applies to code security, not Wi-Fi networks.

📖 Reference: CompTIA PenTest+ PT0-003 Official Guide – Wireless Reconnaissance Techniques

Rubeus is a post-exploitation tool used for Kerberos abuse, including ticket extraction, pass-the-ticket, ticket renewal, and Kerberoasting. It ' s ideal for lateral movement within Active Directory environments.

WinPEAS is mainly used for local privilege escalation and enumeration.

NTLMRelayX (from Impacket) is useful for relaying NTLM authentication but is not focused on Kerberos.

Impacket is a collection of tools; Rubeus is more targeted for Kerberos attacks.

The Wayback Machine is an online tool that archives web pages over time, allowing users to see how a website looked at various points in its history. This can be extremely useful for penetration testers looking to explore potential security weaknesses by searching for subdomains that might have existed in the past.

Accessing the Wayback Machine:

Go to the Wayback Machine website: archive.org/web.

Enter the URL of the target website you want to explore.

Navigating Archived Pages:

The Wayback Machine provides a timeline and calendar interface to browse through different snapshots taken over time.

Select a snapshot to view the archived version of the site. Look for links, subdomains, and resources that may no longer be available in the current version of the website.

Identifying Subdomains:

Examine the archived pages for references to subdomains, which might be visible in links, scripts, or embedded content.

Use the information gathered to identify potential entry points or older versions of web applications that might still be exploitable.

Tool Integration:

Tools like Burp Suite or SpiderFoot can integrate with the Wayback Machine to automate the discovery process of archived subdomains and resources.

Real-World Example:

During a penetration test, a tester might find references to oldadmin.targetsite.com in an archived page from several years ago. This subdomain might no longer be listed in DNS but could still be accessible, leading to potential security vulnerabilities.

References from Pentesting Literature:

In various penetration testing guides and HTB write-ups, using the Wayback Machine is a common technique for passive reconnaissance, providing historical context and revealing past configurations that might still be exploitable.

Step-by-Step ExplanationReferences:

HTB Official Writeups

======

To find the state of both TCP and UDP ports using Nmap, the appropriate command should combine both TCP and UDP scan options:

Understanding the Options:

-sU: Performs a UDP scan.

-sT: Performs a TCP connect scan.

Command Explanation:

Command: nmap -sU -sT -p 1-65535 example.com

This command will scan both TCP and UDP ports from 1 to 65535 on the target example.com. Combining -sU and -sT ensures that both types of services are scanned.

Comparison with Other Options:

-sW: Initiates a TCP Window scan, not relevant for identifying the state of TCP and UDP services.

-sY: Initiates a SCTP INIT scan, not relevant for this context.

-sN: Initiates a TCP Null scan, which is not used for discovering UDP services.

======

The GetUserSPNs.py script (part of Impacket) is used in Kerberoasting attacks. It requests Service Principal Names (SPNs) for users with associated services, retrieves TGS tickets, and then allows offline cracking of those tickets.

From the CompTIA PenTest+ PT0-003 Study Guide (Chapter 8 – Post-Exploitation):

“Kerberoasting involves requesting service tickets for SPNs, which can then be cracked offline to retrieve service account passwords.”