PT0-003 CompTIA PenTest+ Exam Free Practice Exam Questions (2026 Updated)

Publicly accessible code repositories (GitHub, GitLab, Bitbucket, etc.) frequently leak API keys, service account credentials, private keys, or other secrets embedded in source code, configuration files, CI/CD pipelines, or commit histories. These secrets can provide direct access to cloud resources (storage blobs, databases, management APIs) and are therefore one of the most effective public sources for compromising cloud infrastructure.

Why the other options are less effective as public sources:

A. Sensitive documents on a public cloud — if truly public, they may contain useful info, but sensitive documents are typically not intentionally left public; repositories with keys are a more common accidental exposure.

B. Open ports on the cloud infrastructure — helpful for attack surface analysis, but open ports alone don’t directly provide credentials or cloud-management access.

D. SSL certificates on websites — useful for host identification and fingerprinting, but rarely give direct access to cloud management.

CompTIA PT0-003 Mapping: Information gathering and open-source intelligence (OSINT) techniques to discover credentials and secrets that enable cloud compromise.

1: Null session enumeration

Weak SMB file permissions

Fragmentation attack

2: nmap

-sV

-p 1-1023

192.168.2.2

3: #!/usr/bin/python

export $PORTS = 21,22

for $PORT in $PORTS:

try:

s.connect((ip, port))

print(“%s:%s – OPEN” % (ip, port))

except socket.timeout

print(“%:%s – TIMEOUT” % (ip, port))

except socket.error as e:

print(“%:%s – CLOSED” % (ip, port))

finally

s.close()

port_scan(sys.argv[1], ports)

A reverse shell that is left on a target to maintain access is a form of persistence/backdoor. The action described — removing the reverse shell at the end of the engagement — is specifically the removal of a persistence mechanism. Post-engagement cleanup requires removal of any artifacts that provide continued access (web shells, scheduled tasks, reverse shells, cron jobs, created accounts, etc.) so the environment is returned to its pre-test state and to prevent later compromise.

Why not the others:

B (Uninstalling tools): Removing tools is also a cleanup activity, but the question explicitly references removing the reverse shell (persistence).

C (Preserving artifacts): Preserving artifacts is the opposite (saving logs/evidence) for incident response — not removing access.

D (Reverting configuration changes): Important, but the best single match for removing a reverse shell is “removing persistence mechanisms.”

PT0-003 mapping: Domain 5 — post-engagement cleanup and returning environment to baseline.

When considering efficiency and security for exfiltrating sensitive data, the chosen method must ensure data confidentiality and minimize the risk of detection. Here’s an analysis of each option:

Use steganography and send the file over FTP (Option A):

Steganography hides data within other files, such as images. FTP is a protocol for transferring files.

Drawbacks: FTP is not secure as it transmits data in clear text, making it susceptible to interception. Steganography can add an extra layer of obfuscation, but the use of FTP makes this option insecure.

Compress the file and send it using TFTP (Option B):

TFTP is a simple file transfer protocol that lacks encryption.

Drawbacks: TFTP is inherently insecure because it does not support encryption, making it easy for attackers to intercept the data during transfer.

Split the file in tiny pieces and send it over dnscat (Option C):

dnscat is a tool for tunneling data over DNS.

Drawbacks: While effective at evading detection by using DNS, splitting the file and managing the reassembly adds complexity. Additionally, large data transfers over DNS can raise suspicion.

Encrypt and send the file over HTTPS (Answer: D):

Encrypting the file ensures that its contents are protected during transfer. HTTPS provides a secure, encrypted channel for communication over the internet.

Advantages: HTTPS is widely used and trusted, making it less likely to raise suspicion. Encryption ensures the data remains confidential during transit.

The immediate and mandatory post-engagement action after completing an authorized penetration test is to remove any accounts, implants, backdoors, web shells, scheduled tasks, or other persistence mechanisms that were created or used during the test. Leaving persistence (a web shell in this case) is exactly what caused the breach and is an unacceptable post-test lapse.

Why B is correct:

Persistence mechanisms provide continued unauthorized access and are a direct security risk if not removed. Removing them returns the environment to its pre-test security posture and prevents later compromise by third parties.

Removal of persistence is a standard requirement in rules of engagement and in post-test cleanup checklists.

Why the other answers are incomplete or secondary:

A. Enable a host-based firewall on the machine — a reasonable defensive step if missing, but it does not replace removing the persistence that was the cause of the breach.

C. Revert configuration changes made during the engagement — also important and should be done, but the highest priority is removing active persistence that gives access. (Both B and C are valid cleanup activities; B is the single best answer given the question.)

D. Turn off command-and-control infrastructure — this is appropriate for the tester’s own infrastructure, but the critical action on the client side is removing client-side persistence. Also, turning off C2 after the test is expected, but will not remediate the remaining web shell on the client.

CompTIA PT0-003 Mapping:

Domain 5.0 Reporting and Communication — post-engagement cleanup and handoff (remediation actions, removal of test artifacts, maintaining chain of custody and evidence, and returning environment to agreed baseline).

Upon discovering evidence of an advanced persistent threat (APT) on the network, the penetration tester should report the finding immediately.

Advanced Persistent Threat (APT):

Definition: APTs are prolonged and targeted cyberattacks in which an intruder gains access to a network and remains undetected for an extended period.

Significance: APTs often involve sophisticated tactics, techniques, and procedures (TTPs) aimed at stealing data or causing disruption.

Immediate Reporting:

Criticality: Discovering an APT requires immediate attention from the organization’s security team due to the potential impact and persistence of the threat.

Chain of Command: Following the protocol for reporting such findings ensures that appropriate incident response measures are initiated promptly.

Other Actions:

Analyzing the Finding: While analysis is important, it should be conducted by the incident response team after reporting.

Removing the Threat: This action should be taken by the organization’s security team following established incident response procedures.

Documenting and Continuing Testing: Documentation is crucial, but the immediate priority should be reporting the APT to ensure prompt action.

Pentest References:

Incident Response: Understanding the importance of immediate reporting and collaboration with the organization’s security team upon discovering critical threats like APTs.

Ethical Responsibility: Following ethical guidelines and protocols to ensure the organization can respond effectively to significant threats.

By reporting the finding immediately, the penetration tester ensures that the organization’s security team is alerted to the presence of an APT, allowing them to initiate an appropriate incident response.

======

Evaluating a container orchestration cluster, such as Kubernetes, requires specialized tools designed to assess the security and configuration of container environments. Here’s an analysis of each tool and why Kube-hunter is the best choice:

Trivy (Option A):

Trivy is a vulnerability scanner for container images and filesystem.

Capabilities: While effective at scanning container images for vulnerabilities, it is not specifically designed to assess the security of a container orchestration cluster itself.

Nessus (Option B):

Nessus is a general-purpose vulnerability scanner that can assess network devices, operating systems, and applications.

Capabilities: It is not tailored for container orchestration environments and may miss specific issues related to Kubernetes or other orchestration systems.

Grype (Option C):

Grype is a vulnerability scanner for container images.

Capabilities: Similar to Trivy, it focuses on identifying vulnerabilities in container images rather than assessing the overall security posture of a container orchestration cluster.

Kube-hunter (Answer: D):

Kube-hunter is a tool specifically designed to hunt for security vulnerabilities in Kubernetes clusters.

Capabilities: It scans the Kubernetes cluster for a wide range of security issues, including misconfigurations and vulnerabilities specific to Kubernetes environments.

The correct answer is B. nc " $ip_address$i " " :22 "

Netcat, commonly invoked as nc, can be used to connect to a specific TCP port and read service banners. SSH servers commonly listen on TCP port 22 and usually return a banner such as:

SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8

This banner can help identify the SSH implementation and version, which may then be checked for known vulnerabilities.

A is incorrect because ping uses ICMP and does not connect to TCP port 22. The -c 22 option sends 22 ICMP echo requests; it does not perform SSH banner grabbing.

C is incorrect because arp is used to view or manipulate Address Resolution Protocol entries. It does not perform TCP port discovery or banner grabbing.

D is incorrect because curl scp://... attempts to use the SCP protocol and is not the best method for simple SSH port discovery and banner grabbing.

In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically service discovery and banner grabbing using tools other than Nmap.

Breach and Attack Simulation (BAS) tools emulate real-world attacks to test security controls.

Atomic Red Team (Option C):

Atomic Red Team is an open-source BAS framework that provides simple commands to simulate MITRE ATT & CK® techniques.

It allows controlled adversary simulations without real exploitation.

The correct answer is B. Provide the customer with a list of the changes made.

At the end of a penetration test, the tester must support post-engagement cleanup and restoration. To verify that exploited systems have been returned to their original state, the tester should provide the customer with a complete list of changes made during the engagement. This allows the client to confirm that all modifications, deployed tools, payloads, accounts, configuration changes, scripts, files, and other artifacts have been removed or restored appropriately.

A is incorrect because terminating a command-and-control payload addresses only one possible artifact. It does not verify that all exploited systems have been restored to preengagement conditions.

C is incorrect because restoring environment variables may be part of cleanup, but it is too narrow and only applies if environment variables were changed.

D is incorrect because reimaging a system is disruptive and may not be necessary. It should only be done if required by the client’s recovery process or if restoration cannot be otherwise verified.

In PenTest+ terms, this falls under Reporting and Communication, specifically post-engagement cleanup, restoration validation, documentation of changes, and client handoff.

Banner grabbing is a technique used to obtain information about a network service, including its version number, by connecting to the service and reading the response.

Understanding Banner Grabbing:

Purpose: Identify the software version running on a service by reading the initial response banner.

Methods: Can be performed manually using tools like Telnet or automatically using tools like Nmap.

Manual Banner Grabbing:

Step-by-Step Explanationtelnet target_ip 80

Netcat: Another tool for banner grabbing.

nc target_ip 80

Automated Banner Grabbing:

Nmap: Use Nmap’s version detection feature to grab banners.

nmap -sV target_ip

Benefits:

Information Disclosure: Quickly identify the version and sometimes configuration details of the service.

Targeted Exploits: Helps in selecting appropriate exploits based on the identified version.

References from Pentesting Literature:

Banner grabbing is a fundamental technique in reconnaissance, discussed in various penetration testing guides.

HTB write-ups often include banner grabbing as a step in identifying the version of services.

ProxyChains is a tool that allows you to route your traffic through a chain of proxy servers, which can be used to anonymize your network activity. In this context, it is being used to route Nmap scan traffic through the compromised host, allowing the penetration tester to pivot and enumerate other targets within the network.

Understanding ProxyChains:

Purpose: ProxyChains allows you to force any TCP connection made by any given application to follow through proxies like TOR, SOCKS4, SOCKS5, and HTTP(S).

Usage: It’s commonly used to anonymize network traffic and perform actions through an intermediate proxy.

Command Breakdown:

proxychains nmap -sT < target_cidr > : This command uses ProxyChains to route the Nmap scan traffic through the configured proxies.

Nmap Scan (-sT): This option specifies a TCP connect scan.

Setting Up ProxyChains:

Configuration File: ProxyChains configuration is typically found at /etc/proxychains.conf.

Adding Proxy: Add the compromised host as a SOCKS proxy.

Step-by-Step Explanationplaintext

Copy code

socks4 127.0.0.1 1080

Execution:

Start Proxy Server: On the compromised host, run a SOCKS proxy (e.g., using ssh -D 1080 user@compromised_host).

Run ProxyChains with Nmap: Execute the command on the attacker ' s host.

proxychains nmap -sT < target_cidr >

References from Pentesting Literature:

ProxyChains is commonly discussed in penetration testing guides for scenarios involving pivoting through a compromised host.

HTB write-ups frequently illustrate the use of ProxyChains for routing traffic through intermediate systems.

theHarvester is purpose-built for reconnaissance that supports social engineering and phishing assessments by collecting email addresses, employee names, and related identity information from public sources (for example, search engines, PGP key servers, and other OSINT repositories). In a PenTest+ workflow, this aligns directly with the objective of identifying specific people who could be targeted in a phishing simulation—especially when the tester needs a list of likely corporate users and roles to validate awareness controls and email security.

By contrast, WHOIS primarily reveals domain registration details (often privacy-protected) and is not optimized for enumerating a broad set of internal users. Censys.io focuses on internet-exposed hosts, certificates, and services, which is valuable for attack surface mapping but not for building a human target list. SpiderFoot is a general OSINT automation platform, but theHarvester most directly matches the stated goal of harvesting names/emails suitable for phishing target identification.

Burp Suite Community Edition imposes limitations that can slow high-volume Intruder activities, particularly when performing repetitive request mutation such as parameter fuzzing, directory/file discovery, or input testing with wordlists. In PenTest+ tooling guidance, testers are expected to select alternative tools when a platform constraint reduces efficiency while still keeping the testing objective the same. Wfuzz is designed specifically for fast web fuzzing: it can rapidly send large volumes of HTTP requests while varying parameters, headers, paths, or payload positions using wordlists, and it supports filtering/matching responses (status codes, response size, strings) to identify interesting results—functionally similar to many Intruder use cases.

TruffleHog focuses on discovering exposed secrets in repositories and artifacts, not accelerating web request fuzzing. Postman is primarily an API client for building and replaying requests, but it is not optimized as a high-speed fuzzing engine. WPScan targets WordPress-specific enumeration and vulnerability checks and won’t provide general-purpose Intruder-like fuzzing across arbitrary web applications. Therefore, Wfuzz is the best option to speed up and achieve comparable fuzzing outcomes.

When the client indicates that the scope ' s hosts and assets are not included in the vulnerability scan results, it suggests that the tester may have missed discovering all the devices in the scope. Here’s the best course of action:

Performing a Discovery Scan:

Purpose: A discovery scan identifies all active devices on the network before running a detailed vulnerability scan. It ensures that all in-scope devices are included in the assessment.

Process: The discovery scan uses techniques like ping sweeps, ARP scans, and port scans to identify active hosts and services.

Comparison with Other Actions:

Rechecking the Scanner Configuration (A): Useful but not as comprehensive as ensuring all hosts are discovered.

Using a Different Scan Engine (C): Not necessary if the issue is with host discovery rather than the scanner’s capability.

Configuring All TCP Ports on the Scan (D): Helps in detailed scanning but does not address missing hosts.

Performing a discovery scan ensures that all in-scope devices are identified and included in the vulnerability assessment, making it the best course of action.

======

Channel Scanning:

Wireless communications can be disrupted by identifying and interfering with the channels used by Wi-Fi networks.

Channel scanning allows the tester to map all active Wi-Fi channels, identify the target network, and determine possible jamming or interference strategies.

Why Not Other Options?

A (Port mirroring): This applies to wired network traffic duplication for monitoring purposes and is unrelated to wireless disruption.

B (Sidecar scanning): Not a relevant technique in the context of wireless disruption.

C (ARP poisoning): This targets Ethernet/IP communication in a local network, not wireless communication at the radio frequency level.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Wireless Network Disruption Techniques

CrackMapExec (CME) is the best choice because it supports authenticated enumeration against Active Directory and can retrieve domain configuration information—including password policy details—using valid domain credentials. In the PenTest+ methodology, once a tester has a standard domain account, a common next step is to enumerate domain settings that influence attack feasibility and safety, such as minimum password length, complexity requirements, lockout threshold, lockout duration, and password history. These values directly inform how to build a “policy-aware” custom wordlist and how to tune dictionary or spraying attempts to remain within rules of engagement and avoid triggering lockouts.

Responder is primarily used for LLMNR/NBT-NS poisoning and capturing or relaying authentication on local networks; it does not query AD policy as its main function. Hydra is a login brute-force tool that performs attacks, not policy retrieval. msfvenom is a payload generator used for exploitation and post-exploitation delivery, unrelated to enumerating AD password policy. Therefore, CME is the most appropriate tool to retrieve the password policy for informed dictionary construction.

RFID Cloning:

RFID (Radio-Frequency Identification) cloning involves copying the data from an access badge and creating a duplicate that can be used for unauthorized entry.

Tools like Proxmark or RFID duplicators are commonly used for this purpose.

Why Not Other Options?

A (Smurfing): A network-based denial-of-service attack, unrelated to physical access.

B (Credential stuffing): Involves using stolen credentials in bulk for authentication attempts, unrelated to badge cloning.

D (Card skimming): Relates to stealing credit card information, not access badges.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Metadata extraction allows attackers to collect sensitive information from digital files.

EXIF (Exchangeable Image File Format) (Option A):

EXIF metadata contains camera details, GPS coordinates, timestamps, and software versions used to edit the file.

Attackers use tools like ExifTool to extract metadata for reconnaissance.