PT0-003 CompTIA PenTest+ Exam Free Practice Exam Questions (2026 Updated)

The correct answer is A. Target 1: EPSS Score = 0.6 and CVSS Score = 4

EPSS, the Exploit Prediction Scoring System, estimates the likelihood that a vulnerability will be exploited in the wild. CVSS, the Common Vulnerability Scoring System, measures the severity or technical impact of a vulnerability.

The question asks which target is most likely to get attacked, so the EPSS score is the most important factor. The highest EPSS score shown is 0.6, which appears in both Target 1 and Target 3.

Between those two, Target 1 has the higher CVSS score:

Target 1: EPSS 0.6, CVSS 4

Target 3: EPSS 0.6, CVSS 1

Since both have the same exploitation likelihood, the vulnerability with the higher impact/severity is the better choice. Therefore, Target 1 is the most likely and more meaningful attack target.

B is incorrect because its EPSS score is lower at 0.3.

C is incorrect because although its EPSS score is tied for highest, its CVSS score is much lower than Target 1.

D is incorrect because it has the highest CVSS score, but its EPSS score is lower than Target 1 and Target 3. A higher CVSS score means greater severity, not necessarily a higher likelihood of exploitation.

In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically vulnerability prioritization using exploit likelihood and severity metrics.

The correct answer is C. CVE-202X-YYYY: OpenSSL DROWN Attack

DROWN is an attack against SSL/TLS implementations that allows an attacker to decrypt encrypted communications when vulnerable SSLv2 support is present. Since SSL/TLS is a common protocol suite used to protect web and application traffic, a vulnerability that weakens or exposes encrypted communications aligns best with the scenario.

A is incorrect because IKEv2/IPSec relates to VPN/IPSec negotiation and encrypted tunnels, but the well-known attack associated with decrypting encrypted SSL/TLS communications is DROWN.

B is incorrect because Wireshark is a packet analysis tool, not the network protocol being exploited.

D is incorrect because EternalBlue targets Microsoft SMBv1 for remote code execution. It is not primarily an encrypted-communications interception or manipulation vulnerability.

In PenTest+ terms, this falls under Attacks and Exploits, specifically exploitation of cryptographic protocol weaknesses and attacks against SSL/TLS implementations.

This command gathers:

/etc/passwd – lists all local user accounts.

netstat -tuln – lists listening ports and associated services.

/etc/bash.bashrc – contains environment variables and configurations that could reveal system behaviors or hidden persistence mechanisms.

This provides a much broader and deeper enumeration compared to other options.

The tool that the penetration tester should use for further investigation is WPScan. This is because WPScan is a WordPress vulnerability scanner that can detect common WordPress security issues, such as weak passwords, outdated plugins, and misconfigured settings. WPScan can also enumerate WordPress users, themes, and plugins from the robots.txt file.

The two entries in the robots.txt file that the penetration tester should recommend for removal are:

Allow: /admin

Allow: /wp-admin

These entries expose the WordPress admin panel, which can be a target for brute-force attacks, SQL injection, and other exploits. Removing these entries can help prevent unauthorized access to the web application’s backend. Alternatively, the penetration tester can suggest renaming the admin panel to a less obvious name, or adding authentication methods such as two-factor authentication or IP whitelisting.

In an authorized physical assessment, the goal is to test physical security controls. Tailgating is a common and effective technique in such scenarios. Here’s why option B is correct:

Tailgating: This involves following an authorized person into a secure area without proper credentials. During busy times, it’s easier to blend in and gain access without being noticed. It tests the effectiveness of physical access controls and security personnel.

Cloning Badge Information: This can be effective but requires proximity to employees and specialized equipment, making it more complex and time-consuming.

Picking Locks: This is a more invasive technique that carries higher risk and is less stealthy compared to tailgating.

Dropping USB Devices: This tests employee awareness and response to malicious devices but does not directly test physical access controls.

References from Pentest:

Writeup HTB: Demonstrates the effectiveness of social engineering and tailgating techniques in bypassing physical security measures​​.

Forge HTB: Highlights the use of non-invasive methods like tailgating to test physical security without causing damage or raising alarms​​.

Conclusion:

Option B, tailgating into the facility during a busy time, is the best attack plan to gain access to the facility in an authorized physical assessment.

======

A template ensures consistency across reports by defining the required sections (scope, methodology, findings, risk ratings, remediation, evidence, executive summary, and appendices). Standardization helps reviewers and clients quickly find required information, supports quality assurance, and ensures compliance with contractual/reporting requirements. While templates also help articulate risks and contextualize data (A and C) and may indirectly save time (E), their primary purpose is to standardize needed information so every engagement includes the same baseline content and structure.

CompTIA PT0-003 Mapping:

Domain 5.0 Reporting and Communication — produce consistent, repeatable reports and use templates to ensure completeness and QA.

Penetration test results are sensitive information and must be handled confidentially.

Privileged & Confidential Status Update (Option A):

Helps ensure compliance with legal and regulatory standards by labeling the report as confidential.

Encourages secure handling by recipients.

The best next step is to load the captured hash into John the Ripper for offline cracking. The tester already has a username and associated hash material, so the most practical action is to attempt to recover the plaintext password. Offline cracking is efficient because it does not directly interact with the target authentication service, which reduces noise and avoids account lockout risks compared with brute-force attempts using Hydra. NTLM relay would require an active relay opportunity and is not the clearest next move from the information shown. secretsdump is generally used after valid credentials or appropriate hash material are available for remote extraction, and the snippet provided does not indicate sufficient privilege or a full credential set for that step. Therefore, cracking the captured hash is the most appropriate immediate action to expand access.

The correct answer is D. Hydra

Hydra is a password-attack tool commonly used to test authentication services such as SSH, FTP, Telnet, RDP, HTTP, SMB, and others. In this scenario, the tester has a leaked password list and wants to verify whether any of those passwords can authenticate to an SSH server as a valid user. Hydra is the most appropriate tool because it can automate login attempts against SSH using usernames and password lists.

A is incorrect because BloodHound is used to analyze Active Directory relationships and identify attack paths. It is not used to test SSH logins with password lists.

B is incorrect because Responder is used to capture or poison network authentication traffic, commonly NTLM-related traffic. It is not the best tool for testing leaked passwords against SSH.

C is incorrect because Burp Suite is primarily used for web application testing. While it can test web logins, it is not designed for SSH authentication testing.

In PenTest+ terms, this falls under Attacks and Exploits, specifically password attacks, credential validation, and authentication testing against remote services.

The correct answer is A. Evilginx

Evilginx is a phishing framework commonly associated with adversary-in-the-middle phishing attacks. It can proxy authentication traffic between a victim and a legitimate service, allowing the attacker to capture credentials and session tokens. Because session tokens may be captured after successful authentication, Evilginx is known for being able to defeat or bypass some MFA workflows during authorized social engineering assessments.

B is incorrect because the listed commands resemble a phishing module configuration, but they are not the best-known or most appropriate option for capturing MFA/session tokens.

C is incorrect because wget portal.office.com only retrieves web content, and setting an environment variable named MFA does not create an MFA capture capability.

D is incorrect because Recon-ng is an OSINT and reconnaissance framework. It is used for information gathering, not for capturing MFA tokens or conducting adversary-in-the-middle phishing.

In PenTest+ terms, this falls under Attacks and Exploits, specifically social engineering, phishing, credential harvesting, and MFA/session-token capture techniques used during authorized engagements.

Comprehensive and Detailed Explanation From Exact Extract:

net.exe is the classic Windows networking utility that includes commands for enumerating domain resources and accounts from a compromised host where the tester has any authenticated domain context. Typical commands used by penetration testers to enumerate domain users with net.exe include:

net user /domain — lists domain user accounts (name and some properties).

net group " Domain Users " /domain — lists members of the Domain Users group.

net view /domain — lists computers in the domain (useful to find targets for further enumeration).

Why net.exe is the best option here:

It is installed by default on Windows systems and works with the current authenticated domain credentials (common after gaining a foothold).

It provides a quick, low-noise way to enumerate user accounts and groups without requiring additional tooling or elevated privileges beyond an authenticated domain user.

Results can be scripted and parsed for further enumeration and pivoting.

Why the other options are not appropriate:

A. pwd.exe — Not a standard Windows tool for domain enumeration (and not present by default).

C. sc.exe — Service Controller tool for managing services; not used to enumerate domain users.

D. msconfig.exe — System configuration GUI utility for startup/services; not for domain account enumeration.

Related alternatives (contextual, commonly used in pentests):

dsquery user -limit 0 (on systems with RSAT/AD tools) to query AD directly.

Get-ADUser -Filter * (PowerShell, requires the ActiveDirectory module and appropriate rights).

Tools like PowerView (PowerShell) or BloodHound (collection phase) can provide richer AD enumeration, but net.exe is the simplest built-in option to enumerate domain users from an authenticated foothold.

CompTIA PT0-003 Objective Mapping (summary):

Domain 2.0 Information Gathering and Vulnerability Scanning — enumerate network and Active Directory objects using native tools and scripts (e.g., net.exe for domain user enumeration).

The attacker’s goal is to create an account entry in /etc/passwd that grants root privileges. In Unix/Linux, the UID and GID determine privileges; UID 0 is the root account. The line the tester appended sets UID/GID to 1001:1001, which does not grant root privileges. Changing those numeric fields to 0:0 (UID 0, GID 0) will cause the new account to be treated as root when the entry is parsed by the system, enabling a root-level login with the supplied hash.

Additional correctness notes (non-exploitating guidance):

The appended line must match the exact /etc/passwd format (no stray spaces or malformed punctuation).

The password hash must match the system’s expected scheme; openssl passwd produced an MD5-style hash ($1$...) — ensure the hash is correctly copied (case/character fidelity matters).

Modifying /etc/passwd in this way is destructive and illegal without explicit authorization; in an authorized testing engagement, these details are taught to illustrate how misconfigurations lead to privilege escalation.

Why other choices are incorrect:

A: The redirect > > /etc/passwd (append) is appropriate for adding a line; switching to a single redirect is not the central issue.

B: md5sum would produce a raw MD5 digest, not the salted hash format expected by /etc/shadow//etc/passwd entries.

C: Logging in via SSH does not enable the exploit; creating the user with UID 0 is the required change.

CompTIA PT0-003 Mapping:

Domain 3.0 Attacks and Exploits — local privilege escalation techniques and understanding of OS account mechanics.

A computer screen shot of a computer Description automatically generated

A screen shot of a computer Description automatically generated

A computer screen with white text Description automatically generated

An orange screen with white text Description automatically generated

The correct construct for handling runtime failures (for example, login failures, network timeouts, or server errors) in Python is a try/except block (option C). Wrapping potentially failing operations in a try block and handling exceptions in except allows the script to catch the exception and continue execution (log the error, skip the target, retry, etc.) rather than crashing.

Why C is correct:

try/except is the Python mechanism to handle exceptions raised during execution. For network/email operations (IMAP login/select), IMAP libraries raise exceptions on failure — try/except catches these and enables recovery logic.

Example corrected snippet:

import imaplib, sys

def enumerate_inbox(server, port, user, passwd):

try:

mail = imaplib.IMAP4(server, port)

mail.login(user, passwd)

status, messages = mail.select( " inbox " )

print(f " Total Emails: {int(messages[0])} " )

except imaplib.IMAP4.error as e:

print(f " IMAP error for {user}: {e} " )

# continue to next account or retry

except Exception as e:

print(f " Unexpected error for {user}: {e} " )

finally:

try:

mail.logout()

except:

pass

Why the other options are not the best fit:

A. do/while loop: Python has no native do/while; loops alone won’t catch exceptions — they may repeat the crash.

B. iterator: Iterators control iteration over collections, not exception handling.

D. if/else conditional: Conditionals can test return values but cannot handle exceptions thrown by library calls; they are not sufficient to prevent the script from aborting when an exception is raised.

CompTIA PT0-003 Mapping:

Domain 4.0 Tools and Code Analysis — basic defensive programming and error handling when writing or reviewing scripts used in engagements (use exception handling to make enumeration tools robust and predictable).

To see any vulnerabilities that may be visible from outside of the organization, the penetration tester should perform an unauthenticated scan.

Unauthenticated Scan:

Definition: An unauthenticated scan is conducted without providing any credentials to the scanning tool. It simulates the perspective of an external attacker who does not have any prior access to the system.

Purpose: Identifies vulnerabilities that are exposed to the public and can be exploited without authentication. This includes open ports, outdated software, and misconfigurations visible to the outside world.

Comparison with Other Scans:

SAST (Static Application Security Testing): Analyzes source code for vulnerabilities, typically used during the development phase and not suitable for external vulnerability scanning.

Sidecar: This term is generally associated with microservices architecture and is not relevant to the context of vulnerability scanning.

Host-based: Involves scanning from within the network and often requires authenticated access to the host to identify vulnerabilities. It is not suitable for determining external vulnerabilities.

Pentest References:

External Vulnerability Assessment: Conducting unauthenticated scans helps identify the attack surface exposed to external threats and prioritizes vulnerabilities that are accessible from the internet.

Tools: Common tools for unauthenticated scanning include Nessus, OpenVAS, and Nmap.

By performing an unauthenticated scan, the penetration tester can identify vulnerabilities that an external attacker could exploit without needing any credentials or internal access.

======

The correct answer is A. Utilizing port mirroring on a firewall appliance

The key issue is that the tester must avoid tampering with the ICS host because modifying it could void the manufacturer’s support terms. Port mirroring, also known as SPAN, allows the tester to passively copy network traffic from a switch or firewall interface to a monitoring port. The tester can then inspect the copied traffic from a separate analysis system without installing software, changing configurations, or interfering with the ICS application.

This is the most effective and safest method to determine whether communications are encrypted in transit because the assessment team can observe whether traffic is plaintext or encrypted while avoiding changes to the protected host.

B is incorrect because installing packet capture software on the server modifies the host and could violate the support terms.

C is incorrect because reconfiguring the application to use a proxy changes the application behavior and would be considered tampering.

D is incorrect because requesting certificate pinning be disabled changes the application’s security configuration and is unnecessary for simply validating whether traffic is encrypted in transit.

In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, especially passive traffic analysis, packet capture, and safe testing considerations in sensitive environments such as ICS/OT.

MAC address spoofing involves changing the MAC address of a network interface to mimic another device on the network. This technique is often used to bypass network access controls and gain unauthorized access to a network.

Understanding MAC Address Spoofing:

MAC Address: A unique identifier assigned to network interfaces for communication on the physical network segment.

Spoofing: Changing the MAC address to a different one, typically that of an authorized device, to gain access to restricted networks.

Purpose:

Bypassing Access Controls: Gain access to networks that use MAC address filtering as a security measure.

Impersonation: Assume the identity of another device on the network to intercept traffic or access network resources.

Tools and Techniques:

Linux Command: Use the ifconfig or ip command to change the MAC address.

Step-by-Step Explanationifconfig eth0 hw ether 00:11:22:33:44:55

Tools: Tools like macchanger can automate the process of changing MAC addresses.

Impact:

Network Access: Gain unauthorized access to networks and network resources.

Interception: Capture traffic intended for another device, potentially leading to data theft or further exploitation.

Detection and Mitigation:

Monitoring: Use network monitoring tools to detect changes in MAC addresses.

Secure Configuration: Implement port security on switches to restrict which MAC addresses can connect to specific ports.

References from Pentesting Literature:

MAC address spoofing is a common technique discussed in wireless and network security chapters of penetration testing guides.

HTB write-ups often include examples of using MAC address spoofing to bypass network access controls and gain unauthorized access.

Eavesdropping:

Eavesdropping involves intercepting communications between parties without their consent. If the details were obtained from a meeting, it likely involved intercepting audio or network communications, such as unsecured VoIP calls, radio signals, or in-room microphones.

Why Not Other Options?

B (Bluesnarfing): Targets Bluetooth-enabled devices, which is unlikely to apply to general meeting communications.

C (Credential harvesting): Focuses on collecting user credentials and does not explain the discovery of product details from a meeting.

D (SQL injection): Exploits databases and is unrelated to capturing meeting communication.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Techniques for Intercepting Communication

Cross-Site Request Forgery (CSRF) vulnerabilities can be leveraged to trick authenticated users into performing unwanted actions on a web application. The right tool for this task would help in exploiting web-based vulnerabilities, particularly those related to web browsers and interactions.

Browser Exploitation Framework (BeEF) (Answer: A):

BeEF is a powerful tool specifically designed for exploiting web browser vulnerabilities. It can hook web browsers and perform a wide range of attacks, including CSRF.

Capabilities: BeEF is equipped with modules to create CSRF attacks, capture session tokens, and gather sensitive information from the target user ' s browser session.