Text preview & study summary

CompTIA PenTest+ PT0-003 - All Domains Penetration Testing Methodology

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

A pentester discovers that an internal web application uses `http://app.internal/fetch?url=http://169.254.169.254/latest/meta-data/` and returns AWS instance metadata. What vulnerability is this?

Answer choices

  • A. Path traversal

  • B. SSRF (Server-Side Request Forgery) — the server makes requests on behalf of the attacker to internal endpoints (Correct)

  • C. SQL injection

  • D. XSS

Explanation

SSRF (Server-Side Request Forgery) occurs when an attacker can cause a server to make HTTP requests to arbitrary URLs. In cloud environments, this allows access to the instance metadata API (169.254.169.254) which can expose IAM credentials, allowing full cloud account compromise.

Question 2

A pentester obtains an NTLM hash for a domain user from a compromised workstation. Without cracking the hash, they use it to authenticate to other systems. What technique is this?

Answer choices

  • A. Rainbow table attack

  • B. Pass-the-Hash (PtH) (Correct)

  • C. Kerberoasting

  • D. Golden Ticket

Explanation

Pass-the-Hash (PtH) uses an NTLM hash directly for authentication without knowing the plaintext password. Tools like Mimikatz, Impacket's wmiexec/psexec, and CrackMapExec support PtH attacks against Windows systems, enabling lateral movement without password cracking.

Question 3

After completing a penetration test, the tester must restore all systems to their original state. Which of the following actions would be REQUIRED during cleanup?

Answer choices

  • A. Format all compromised systems

  • B. Remove all backdoors, test accounts, uploaded files, and malicious scripts; restore modified configurations; document all changes made (Correct)

  • C. Submit a vulnerability report only

  • D. Leave backdoors in place for the client to verify

Explanation

Pentest cleanup (as defined in the ROE) requires: removing all backdoors, tools, test accounts, and files placed during the test; restoring any modified system configurations; and documenting everything removed. Leaving backdoors is unethical and potentially illegal.

Question 4

During a pentest, a tester uses `msfvenom` to create a reverse shell payload. They embed it in a document. What type of payload delivery is this?

Answer choices

  • A. Network exploit

  • B. Client-side attack / Social engineering lure — an attacker-crafted malicious document that executes when the victim opens it (Correct)

  • C. Brute-force attack

  • D. SQL injection

Explanation

Client-side attacks deliver malicious payloads (macros, JavaScript, PDF exploits) embedded in documents that execute when a user opens them. This tests user security awareness and email filtering controls. `msfvenom` generates shellcode/payloads for various delivery mechanisms.

Question 5

During a web application test, a pentester injects `' OR '1'='1` into a login form's username field. The application returns "Welcome, admin!" without requiring a password. What vulnerability has been exploited?

Answer choices

  • A. XSS (Cross-Site Scripting)

  • B. CSRF (Cross-Site Request Forgery)

  • C. SQL injection (authentication bypass) (Correct)

  • D. Path traversal

Explanation

The payload `' OR '1'='1` terminates the username string and adds a condition that is always true, bypassing the SQL WHERE clause that checks credentials. The resulting query becomes `WHERE username='' OR '1'='1' AND password='...'`, authenticating without valid credentials.