Question 1

Which of the following commands will allow a tester to enumerate potential unquoted service paths on a host?
A) wmic environment get name, variablevalue, username | findstr /i "Path" | findstr /i "Service"
B) wmic service get /format:hform > c:	emp\services.html
C) wmic startup get caption, location, command |findstr /i "service" |findstr /v /i "%"
D) wmic service get name, displayname, pathname, startmode |findstr /i "auto" |findstr /i /v "c:\windows\" |findstr /i /v """

Accepted Answer

The command in option D lists services with their pathnames and filters out those that are quoted or located in the Windows directory, helping identify unquoted service paths.

Question 2

A penetration tester runs the following on a machine:  Which of the following will be returned?
A) 1
B) 3
C) 5
D) 6

Accepted Answer

The answer of A penetration tester runs the following on...

Question 3

A penetration tester discovers an anonymous FTP server that is sharing the C:\drive. Which of the following is the BEST exploit?
A) Place a batch script in the startup folder for all users.
B) Change a service binary location path to point to the tester's own payload.
C) Escalate the tester's privileges to SYSTEM using the at.exe command. Escalate the tester's privileges to SYSTEM using the at.exe command.
D) Download, modify, and reupload a compromised registry to obtain code execution.

Accepted Answer

The answer of A penetration tester discovers an anonymous FTP...

Question 4

A penetration tester has successfully exploited a vulnerability on an organization's authentication server and now wants to set up a reverse shell. The penetration tester finds that Netcat is not available on the target. Which of the following approaches is a suitable option to attempt NEXT?
A) Run xterm to connect to the X-server of the target.
B) Attempt to escalate privileges to acquire an interactive shell.
C) Try to use the /dev/tcp socket.
D) Attempt to read out/etc/shadow.

Accepted Answer

Using the /dev/tcp socket is a suitable option for setting up a reverse shell when Netcat is not available, as it allows for network communication directly from the shell.

Question 5

During the exploitation phase of a penetration test, a vulnerability is discovered that allows command execution on a Linux web server. A cursory review confirms the system access is only in a low-privilege user context: www-data . After reviewing, the following output from /etc/sudoers:  Which of the following users should be targeted for privilege escalation?
A) Only members of the Linux admin group, OPERATORS, ADMINS, jedwards, and operator can execute privileged commands useful for privilege escalation.
B) All users on the machine can execute privileged commands useful for privilege escalation.
C) Bfranks, emann, members of the Linux admin group, OPERATORS, and ADMINS can execute commands useful for privilege escalation.
D) Jedwards, operator, bfranks, emann, OPERATOR, and ADMINS can execute commands useful for privilege escalation.

Accepted Answer

The answer of During the exploitation phase of a penetration...

Question 6

A penetration tester is testing a web application and is logged in as a lower-privileged user. The tester runs arbitrary JavaScript within an application, which sends an XMLHttpRequest, resulting in exploiting features to which only an administrator should have access. Which of the following controls would BEST mitigate the vulnerability?
A) Implement authorization checks.
B) Sanitize all the user input.
C) Prevent directory traversal.
D) Add client-side security controls

Accepted Answer

Implementing authorization checks ensures that only users with the appropriate permissions can access certain features, preventing lower-privileged users from exploiting administrative functionalities.

Question 7

A penetration tester has obtained access to an IP network subnet that contains ICS equipment intercommunication. Which of the following attacks is MOST likely to succeed in creating a physical effect?
A) DNS cache poisoning
B) Record and replay
C) Supervisory server SMB
D) Blind SQL injection

Accepted Answer

Supervisory server SMB is a protocol used by ICS equipment to communicate with each other. By exploiting a vulnerability in this protocol, an attacker could potentially cause a physical effect, such as disrupting the operation of the equipment.

Question 8

During a penetration test, a tester identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?
A) Shell binary placed in C:\windows	emp
B) Modified daemons
C) New user creation
D) Backdoored executables

Accepted Answer

Creating a new user account is a technique that can ensure persistence, as it allows the attacker to maintain access even if other methods are detected and removed by antivirus software.

Question 9

A penetration tester is connected to a client's local network and wants to passively identify cleartext protocols and potentially sensitive data being communicated across the network. Which of the following is the BEST approach to take?
A) Run a network vulnerability scan.
B) Run a stress test.
C) Run an MITM attack.
D) Run a port scan.

Accepted Answer

A Man-In-The-Middle (MITM) attack allows the tester to intercept and analyze network traffic, identifying cleartext protocols and sensitive data without actively sending packets or altering the network state.

Question 10

A senior employee received a suspicious email from another executive requesting an urgent wire transfer. Which of the following types of attacks is likely occurring?
A) Spear phishing
B) Business email compromise
C) Vishing
D) Whaling

Accepted Answer

The answer of A senior employee received a suspicious email...

Question 11

When negotiating a penetration testing contract with a prospective client, which of the following disclaimers should be included in order to mitigate liability in case of a future breach of the client's systems?
A) The proposed mitigations and remediations in the final report do not include a cost-benefit analysis.
B) The NDA protects the consulting firm from future liabilities in the event of a breach.
C) The assessment reviewed the cyber key terrain and most critical assets of the client's network.
D) The penetration test is based on the state of the system and its configuration at the time of assessment.

Accepted Answer

The disclaimer that the penetration test is based on the state of the system and its configuration at the time of assessment helps mitigate liability by clarifying that any future changes to the system or its configuration are not covered by the test results.

Question 12

An organization has requested that a penetration test be performed to determine if it is possible for an attacker to gain a foothold on the organization's server segment. During the assessment, the penetration tester identifies tools that appear to have been left behind by a prior attack. Which of the following actions should the penetration tester take?
A) Attempt to use the remnant tools to achieve persistence.
B) Document the presence of the left-behind tools in the report and proceed with the test.
C) Remove the tools from the affected systems before continuing on with the test.
D) Discontinue further testing and report the situation to management.

Accepted Answer

The penetration tester should document the presence of the tools as part of their findings and continue with the test, as this information is crucial for the organization to understand potential vulnerabilities and past breaches.

Question 13

Which of the following actions BEST matches a script kiddie's threat actor?
A) Exfiltrate network diagrams to perform lateral movement.
B) Steal credit cards from the database and sell them in the deep web.
C) Install a rootkit to maintain access to the corporate network.
D) Deface the website of a company in search of retribution.

Accepted Answer

The answer of Which of the following actions BEST matches...

Question 14

An attacker performed a MITM attack against a mobile application. The attacker is attempting to manipulate the application's network traffic via a proxy tool. The attacker only sees limited traffic as cleartext. The application log files indicate secure SSL/TLS connections are failing. Which of the following is MOST likely preventing proxying of all traffic?
A) Misconfigured routes
B) Certificate pinning
C) Strong cipher suites
D) Closed ports

Accepted Answer

Certificate pinning is likely preventing the proxy tool from intercepting and decrypting all traffic, as it ensures the application only trusts specific certificates, blocking the attacker's proxy certificate.

Question 15

A penetration tester is attempting to open a socket in a bash script but receives errors when running it. The current state of the relevant line in the script is as follows: Which of the following lines of code would correct the issue upon substitution? A) open 0<>/dev/tcp/${HOST}:${PORT} B) exec 0/dev/tcp/${HOST}/${PORT} E) open 3

Accepted Answer

The answer of A penetration tester is attempting to open...

Question 16

A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?
A) nc -lvp 4444 /bin/bash
B) nc -vp 4444 /bin/bash
C) nc -p 4444 /bin/bash
D) nc -lp 4444 -e /bin/bash

Accepted Answer

The answer of A penetration tester has compromised a host....

Question 17

A penetration tester successfully exploits a system, receiving a reverse shell. Which of the following is a Meterpreter command that is used to harvest locally stored credentials?
A) background
B) hashdump
C) session
D) getuid
E) psexec

Accepted Answer

The "hashdump" command in Meterpreter is used to dump password hashes from the targeted system, which can be used to harvest locally stored credentials.

Question 18

A penetration tester has been hired to perform a penetration test for an organization. Which of the following is indicative of an error-based SQL injection attack?
A) a=1 or 1--
B) 1=1 or b--
C) 1=1 or 2--
D) 1=1 or a--

Accepted Answer

Error-based SQL injection attacks often involve injecting SQL code that causes an error message to be returned, which can reveal information about the database. The choice "a=1 or 1--" is a common pattern used in SQL injection to manipulate queries and potentially cause errors.

Question 19

A company has engaged a penetration tester to perform an assessment for an application that resides in the company's DMZ. Prior to conducting testing, in which of the following solutions should the penetration tester's IP address be whitelisted?
A) WAF
B) HIDS
C) NIDS
D) DLP

Accepted Answer

The answer of A company has engaged a penetration tester...

Question 20

A penetration tester wants to check manually if a "ghost" vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?
A) Download the GHOST file to a Linux system and compile   gcc -o GHOST   test i:   ./GHOST
B) Download the GHOST file to a Windows system and compile    gcc -o GHOST GHOST.c    gcc -o GHOST GHOST.c
C) ./GHOST
D)    gcc -o GHOST gcc -o GHOST

Accepted Answer

The answer of A penetration tester wants to check manually...

Exam 12: CompTIA PenTest+ Certification Exam

Which of the following commands will allow a tester to enumerate potential unquoted service paths on a host?

A penetration tester runs the following on a machine: Which of the following will be returned?

A penetration tester discovers an anonymous FTP server that is sharing the C:\drive. Which of the following is the BEST exploit?

A penetration tester has successfully exploited a vulnerability on an organization's authentication server and now wants to set up a reverse shell. The penetration tester finds that Netcat is not available on the target. Which of the following approaches is a suitable option to attempt NEXT?

A penetration tester has obtained access to an IP network subnet that contains ICS equipment intercommunication. Which of the following attacks is MOST likely to succeed in creating a physical effect?

During a penetration test, a tester identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?

A penetration tester is connected to a client's local network and wants to passively identify cleartext protocols and potentially sensitive data being communicated across the network. Which of the following is the BEST approach to take?

A senior employee received a suspicious email from another executive requesting an urgent wire transfer. Which of the following types of attacks is likely occurring?

When negotiating a penetration testing contract with a prospective client, which of the following disclaimers should be included in order to mitigate liability in case of a future breach of the client's systems?

Which of the following actions BEST matches a script kiddie's threat actor?

A penetration tester is attempting to open a socket in a bash script but receives errors when running it. The current state of the relevant line in the script is as follows: Which of the following lines of code would correct the issue upon substitution?

A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?

A penetration tester successfully exploits a system, receiving a reverse shell. Which of the following is a Meterpreter command that is used to harvest locally stored credentials?

A penetration tester has been hired to perform a penetration test for an organization. Which of the following is indicative of an error-based SQL injection attack?

A company has engaged a penetration tester to perform an assessment for an application that resides in the company's DMZ. Prior to conducting testing, in which of the following solutions should the penetration tester's IP address be whitelisted?

A penetration tester wants to check manually if a "ghost" vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?