CompTIA PT0-003 - CompTIA PenTest+ Exam

The correct answer is A. Decompile the bytecode.

Java applications are commonly distributed as archive files such as .jar, .war, or .ear files. These archives usually contain compiled Java bytecode in .class files rather than the original readable source code.

To perform static analysis, the tester must inspect the application without executing it. Therefore, the first practical step is to extract and decompile the Java bytecode back into readable Java-like source code using tools such as JD-GUI, CFR, FernFlower, or JADX.

B is incorrect because fuzz testing is a dynamic testing technique. It involves sending malformed or unexpected inputs to a running application, not reviewing the application statically.

C is incorrect because a .so file is a Linux shared object library. Converting a Java archive to a .so file is not part of Java static analysis.

D is incorrect because the Java interpreter is part of the runtime environment. Disassembling the interpreter does not analyze the target Java application.

In PenTest+ terms, this falls under Tools and Code Analysis, specifically static application security testing, reverse engineering Java archives, and reviewing compiled bytecode for security flaws.

Moorche2026-04-29T01:08:00.59M

Part 1 - 192.168.2.2 -O -sV --top-ports=100 and SMB vulns

Part 2 - Weak SMB file permissions

https://subscription.packtpub.com/book/networking-and-servers/9781786467454/1/ch01lvl1sec13/fingerprinting-os-and-services-running-on-a-target-host

The vulnerability in question is XML External Entity (XXE) injection, which occurs when an application processes XML input containing external entities that access files on the server or external resources.

Disabling External Entities:

The root cause of the issue is the application ' s ability to process external entities ( < !ENTITY foo SYSTEM ... > ). Disabling external entities entirely prevents XXE attacks.

This can be achieved by properly configuring the XML parser (e.g., in Java, disable DocumentBuilderFactory.setFeature( " http://apache.org/xml/features/disallow-doctype-decl " , true)).

Why Not Other Options?

A (chmod o-rwx): File permission hardening may reduce the impact of a successful attack but does not mitigate XXE at the parser level.

B (Review logs): Reviewing logs is a reactive measure, not a prevention mechanism.

D (WAF): A WAF may block some malicious requests but is not a reliable mitigation for XXE vulnerabilities embedded in legitimate XML input.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

OWASP XXE Prevention Cheat Sheet

Installation:

Nmap can be installed on various operating systems. For example, on a Debian-based system:

sudo apt-get install nmap

Basic Network Scanning:

To scan a range of IP addresses in the network:

nmap -sP 192.168.1.0/24

Service and Version Detection:

To scan for open ports and detect the service versions running on a specific host:

nmap -sV 192.168.1.10

Enumerating Domain Systems:

Use Nmap with additional scripts to enumerate domain systems. For example, using the --script option:

nmap -p 445 --script=smb-enum-domains 192.168.1.10

Advanced Scanning Options:

Stealth Scan: Use the -sS option to perform a stealth scan:

nmap -sS 192.168.1.10

Aggressive Scan: Use the -A option to enable OS detection, version detection, script scanning, and traceroute:

nmap -A 192.168.1.10

Real-World Example:

A penetration tester uses Nmap to enumerate the systems within a domain by scanning the network for live hosts and identifying the services running on each host. This information helps in identifying potential vulnerabilities and entry points for further exploitation.

References from Pentesting Literature:

In " Penetration Testing - A Hands-on Introduction to Hacking, " Nmap is extensively discussed for various stages of the penetration testing process, from reconnaissance to vulnerability assessment.

HTB write-ups often illustrate the use of Nmap for network enumeration and discovering potential attack vectors.

The command xp_cmdshell executes system-level commands from SQL Server. The command whoami /all is used to enumerate user privileges, group memberships, and security contexts on Windows systems.

From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 8 – Post-Exploitation Techniques):

“Using xp_cmdshell and system commands like whoami /all allows testers to identify the privilege level of the database user and system access level.”

C2 servers are used to remotely control compromised systems while avoiding detection.

Covenant (Option B):

Covenant is an advanced C2 framework designed for stealthy post-exploitation in red team operations.

Supports encrypted communication, privilege escalation, and evasion techniques.

The command creates a scheduled task that executes a reverse shell payload at logon, ensuring persistence.

Option A (Enumerate tasks) ❌: This command creates a task, not lists tasks (schtasks /query is used for enumeration).

Option B (Establish persistence) ✅: Correct.

The attacker ensures a reverse shell opens every time a user logs in.

Option C (Deactivate Windows Update) ❌: The task is named " Windows Update " but does not disable updates.

Option D (Create a Windows Update binary) ❌: This executes a reverse shell, not a system update.

📖 Reference: CompTIA PenTest+ PT0-003 Official Guide – Windows Persistence Techniques

Eavesdropping:

Eavesdropping involves intercepting communications between parties without their consent. If the details were obtained from a meeting, it likely involved intercepting audio or network communications, such as unsecured VoIP calls, radio signals, or in-room microphones.

Why Not Other Options?

B (Bluesnarfing): Targets Bluetooth-enabled devices, which is unlikely to apply to general meeting communications.

C (Credential harvesting): Focuses on collecting user credentials and does not explain the discovery of product details from a meeting.

D (SQL injection): Exploits databases and is unrelated to capturing meeting communication.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Techniques for Intercepting Communication

A screenshot of a computer Description automatically generated

To enumerate password hashes using an SQL injection vulnerability, the penetration tester needs to extract specific columns from the database that typically contain password hashes. The --dump command in sqlmap is used to dump the contents of the specified database table. Here’s a breakdown of the options:

Option A: sqlmap -u www.example.com/?id=1 --search -T user

The --search option is used to search for columns and not to dump data. This would not enumerate password hashes.

Option B: sqlmap -u www.example.com/?id=1 --dump -D accounts -T users -C cred

This command uses --dump to extract data from the specified database accounts, table users, and column cred. This is the correct option to enumerate password hashes, assuming cred is the column containing the password hashes.

Option C: sqlmap -u www.example.com/?id=1 --tables -D accounts

The --tables option lists all tables in the specified database but does not extract data.

Option D: sqlmap -u www.example.com/?id=1 --schema --current-user --current-db

The --schema option provides the database schema information, and --current-user and --current-db provide information about the current user and database but do not dump data.

References from Pentest:

Writeup HTB: Demonstrates using sqlmap to dump data from specific tables to retrieve sensitive information, including password hashes​​.

Luke HTB: Shows the process of exploiting SQL injection to extract user credentials and hashes by dumping specific columns from the database​​.

======