Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. CompTIA
  5. PT0-003

CompTIA PT0-003 Exam Questions
CompTIA PenTest+ (Page 7 )

Updated On: 21-Feb-2026
Page 7 of 49
PDF with 218 Questions

[Attacks and Exploits]
A penetration tester is evaluating a SCADA system. The tester receives local access to a workstation that is running a single application.
While navigating through the application, the tester opens a terminal window and gains access to the underlying operating system.
Which of the following attacks is the tester performing?

  1. Kiosk escape
  2. Arbitrary code execution
  3. Process hollowing
  4. Library injection

Answer(s): A

Explanation:

A kiosk escape involves breaking out of a restricted environment, such as a kiosk or a single application interface, to access the underlying operating system. Here's why option A is correct:
Kiosk Escape: This attack targets environments where user access is intentionally limited, such as a kiosk or a dedicated application. The goal is to break out of these restrictions and gain access to the full operating system.
Arbitrary Code Execution: This involves running unauthorized code on the system, but the scenario described is more about escaping a restricted environment. Process Hollowing: This technique involves injecting code into a legitimate process, making it appear benign while executing malicious activities.
Library Injection: This involves injecting malicious code into a running process by loading a malicious library, which is not the focus in this scenario.
Reference from Pentest:
Forge HTB: Demonstrates techniques to escape restricted environments and gain broader access to the system.
Horizontall HTB: Shows methods to break out of limited access environments, aligning with the concept of kiosk escape.
Conclusion:
Option A, Kiosk escape, accurately describes the type of attack where a tester breaks out of a restricted environment to access the underlying operating system.



A penetration tester presents the following findings to stakeholders:

Control | Number of findings | Risk | Notes
Encryption | 1 | Low | Weak algorithm noted
Patching | 8 | Medium | Unsupported systems
System hardening | 2 | Low | Baseline drift observed

Secure SDLC | 10 | High | Libraries have vulnerabilities Password policy | 0 | Low | No exceptions noted
Based on the findings, which of the following recommendations should the tester make? (Select two).

  1. Develop a secure encryption algorithm.
  2. Deploy an asset management system.
  3. Write an SDLC policy.
  4. Implement an SCA tool.
  5. Obtain the latest library version.
  6. Patch the libraries.

Answer(s): D,E

Explanation:

Based on the findings, the focus should be on addressing vulnerabilities in libraries and ensuring their security. Here's why options D and E are correct:
Implement an SCA Tool:
SCA (Software Composition Analysis) tools are designed to analyze and manage open-source components in an application. Implementing an SCA tool would help in identifying and managing vulnerabilities in libraries, aligning with the finding of vulnerable libraries in the secure SDLC process. This recommendation addresses the high-risk finding related to the Secure SDLC by providing a systematic approach to manage and mitigate vulnerabilities in software dependencies.
Obtain the Latest Library Version:
Keeping libraries up to date is a fundamental practice in maintaining the security of an application. Ensuring that the latest, most secure versions of libraries are used directly addresses the high-risk finding related to vulnerable libraries.
This recommendation is a direct and immediate action to mitigate the identified vulnerabilities.
Other Options Analysis:
Develop a Secure Encryption Algorithm: This is not practical or necessary given that the issue is with the use of a weak algorithm, not the need to develop a new one. Deploy an Asset Management System: While useful, this is not directly related to the identified high- risk issue of vulnerable libraries.
Write an SDLC Policy: While helpful, the more immediate and effective actions involve implementing tools and processes to manage and update libraries.
Reference from Pentest:
Horizontall HTB: Demonstrates the importance of managing software dependencies and using tools to identify and mitigate vulnerabilities in libraries.
Writeup HTB: Highlights the need for keeping libraries updated to ensure application security and mitigate risks.
Conclusion:
Options D and E, implementing an SCA tool and obtaining the latest library version, are the most appropriate recommendations to address the high-risk finding related to vulnerable libraries in the Secure SDLC process.



[Information Gathering and Vulnerability Scanning]
While conducting a reconnaissance activity, a penetration tester extracts the following information:

Emails: - admin@acme.com - sales@acme.com - support@acme.com

Which of the following risks should the tester use to leverage an attack as the next step in the security assessment?

  1. Unauthorized access to the network
  2. Exposure of sensitive servers to the internet
  3. Likelihood of SQL injection attacks
  4. Indication of a data breach in the company

Answer(s): A

Explanation:

When a penetration tester identifies email addresses during reconnaissance, the most immediate risk to leverage for an attack is unauthorized access to the network. Here's why:
Phishing Attacks:
Email addresses are often used to conduct phishing attacks. By crafting a convincing email, an attacker can trick the recipient into revealing their login credentials or downloading malicious software, thereby gaining unauthorized access to the network.
Spear Phishing:
With specific email addresses (like admin@acme.com), attackers can perform spear phishing, targeting key individuals within the organization to gain access to more sensitive parts of the network.
Comparison with Other Risks:
Exposure of sensitive servers to the internet (B): This is unrelated to the email addresses and more about network configuration.
Likelihood of SQL injection attacks (C): SQL injection targets web applications and databases, not email addresses.
Indication of a data breach in the company (D): The presence of email addresses alone does not indicate a data breach.
Email addresses are a starting point for phishing attacks, making unauthorized access to the network the most relevant risk.



[Attacks and Exploits]
A penetration tester gains access to a host but does not have access to any type of shell.
Which of the following is the best way for the tester to further enumerate the host and the environment in which it resides?

  1. ProxyChains
  2. Netcat
  3. PowerShell ISE
  4. Process IDs

Answer(s): B

Explanation:

If a penetration tester gains access to a host but does not have a shell, the best tool for further enumeration is Netcat. Here's why:
Netcat:

Versatility: Netcat is known as the "Swiss Army knife" of networking tools. It can be used for port scanning, banner grabbing, and setting up reverse shells. Enumeration: Without a shell, Netcat can help enumerate open ports and services running on the host, providing insight into the host's environment.
Comparison with Other Tools:
ProxyChains: Used to chain proxies together, not directly useful for enumeration without an initial shell.
PowerShell ISE: Requires a shell to execute commands and scripts. Process IDs: Without a shell, enumerating process IDs directly isn't possible. Netcat's ability to perform multiple network-related tasks without needing a shell makes it the best choice for further enumeration.



[Information Gathering and Vulnerability Scanning]
A penetration tester has found a web application that is running on a cloud virtual machine instance. Vulnerability scans show a potential SSRF for the same application URL path with an injectable parameter.
Which of the following commands should the tester run to successfully test for secrets exposure exploitability?

  1. curl <url>?param=http://169.254.169.254/latest/meta-data/
  2. curl '<url>?param=http://127.0.0.1/etc/passwd'
  3. curl '<url>?param=<script>alert(1)<script>/'
  4. curl <url>?param=http://127.0.0.1/

Answer(s): A

Explanation:

In a cloud environment, testing for Server-Side Request Forgery (SSRF) vulnerabilities involves attempting to access metadata services. Here's why the specified command is appropriate:
Accessing Cloud Metadata Service:
URL: http://169.254.169.254/latest/meta-data/ is a well-known endpoint in cloud environments (e.g., AWS) to access instance metadata.
Purpose: By exploiting SSRF to access this URL, an attacker can retrieve sensitive information such as instance credentials and other metadata.
Comparison with Other Commands:
127.0.0.1/etc/passwd: This is more about local file inclusion, not specific to cloud metadata. <script>alert(1)</script>: This tests for XSS, not SSRF. 127.0.0.1: This is a generic loopback address and does not specifically test for metadata access in a cloud environment.
Using curl <url>?param=http://169.254.169.254/latest/meta-data/ is the correct approach to test for SSRF vulnerabilities in cloud environments to potentially expose secrets.






Post your Comments and Discuss CompTIA PT0-003 exam dumps with other Community members:

Join the PT0-003 Discussion