PT0-002 Free Practice Test

A penetration tester opened a reverse shell on a Linux web server and successfully escalated privileges to root. During the engagement, the tester noticed that another user logged in frequently as root to perform work tasks. To avoid disrupting this user’s work, which of the following is the BEST option for the penetration tester to maintain root-level persistence on this server during the test?

1. A. Add a web shell to the root of the website.
2. B. Upgrade the reverse shell to a true TTY terminal.
3. C. Add a new user with ID 0 to the /etc/passwd file.
4. D. Change the password of the root user and revert after the test.

Correct Answer: C
The best option for the penetration tester to maintain root-level persistence on this server during the test is to add a new user with ID 0 to the /etc/passwd file. This will allow the penetration tester to use the same user account as the other user, but with root privileges, meaning that it won’t disrupt the other user’s work. This can be done by adding a new line with the username and the numerical user ID 0 to the /etc/passwd file. For example, if the username for the other user is “johndoe”, the line to add would be “johndoe:x:0:0:John Doe:/root:/bin/bash”. After the user is added, the penetration tester can use the “su” command to switch to the new user and gain root privileges.

A company becomes concerned when the security alarms are triggered during a penetration test. Which of the following should the company do NEXT?

1. A. Halt the penetration test.
2. B. Contact law enforcement.
3. C. Deconflict with the penetration tester.
4. D. Assume the alert is from the penetration test.

Correct Answer: C
Deconflicting with the penetration tester is the best thing to do next after the security alarms are triggered during a penetration test, as it will help determine whether the alarm was caused by the tester’s activity or by an actual threat. Deconflicting is the process of communicating and coordinating with other parties involved in a penetration testing engagement, such as security teams, network administrators, or emergency contacts, to avoid confusion or interference.

Which of the following describe the GREATEST concerns about using third-party open-source libraries in application code? (Choose two.)

1. A. The libraries may be vulnerable
2. B. The licensing of software is ambiguous
3. C. The libraries’ code bases could be read by anyone
4. D. The provenance of code is unknown
5. E. The libraries may be unsupported
6. F. The libraries may break the application

Correct Answer: AD
A. The libraries may be vulnerable to security bugs or exploits that can compromise the application or
the data. According to the web search results, open-source libraries often have vulnerabilities that can be exploited by attackers, such as Heartbleed, Shellshock, DROWN, or npm left-pad1234. These vulnerabilities can allow attackers to extract sensitive data, execute arbitrary commands, decrypt encrypted traffic, or break the functionality of the application. Therefore, using third-party open-source libraries in application code poses a significant security risk.
D. The provenance of code is unknown, meaning that the origin and history of the code are not verified or documented. According to the web search results, open-source libraries and client projects are developed and continuously evolving in an asynchronous way, which makes it difficult to track the changes and updates of the code2. Moreover, open-source libraries may have dependencies on other libraries, which can introduce additional risks or vulnerabilities1. Therefore, using third-party
open-source libraries in application code poses a significant quality risk.

A penetration tester ran an Nmap scan on an Internet-facing network device with the –F option and found a few open ports. To further enumerate, the tester ran another scan using the following command:
nmap –O –A –sS –p- 100.100.100.50
Nmap returned that all 65,535 ports were filtered.
Which of the following MOST likely occurred on the second scan?

1. A. A firewall or IPS blocked the scan.
2. B. The penetration tester used unsupported flags.
3. C. The edge network device was disconnected.
4. D. The scan returned ICMP echo replies.

Correct Answer: A

A penetration tester discovered that a client uses cloud mail as the company's email system. During the penetration test, the tester set up a fake cloud mail login page and sent all company employees an email that stated their inboxes were full and directed them to the fake login page to remedy the issue. Which of the following BEST describes this attack?

1. A. Credential harvesting
2. B. Privilege escalation
3. C. Password spraying
4. D. Domain record abuse

Correct Answer: A
Credential harvesting is a type of attack that aims to collect usernames and passwords from unsuspecting users by tricking them into entering their credentials on a fake or spoofed website. Credential harvesting can be done by using phishing emails that lure users to click on malicious links or attachments that redirect them to the fake website. The fake website may look identical or similar to the legitimate one, but it will capture and store the user’s credentials for later use by the attacker. In this case, the penetration tester set up a fake cloud mail login page and sent phishing emails to all company employees to harvest their credentials.