PT0-003 Free Practice Test

A penetration tester gains initial access to a target system by exploiting a recent RCE vulnerability. The patch for the vulnerability will be deployed at the end of the week. Which of the following utilities would allow the tester to reenter the system remotely after the patch has been deployed? (Select two).

1. A. schtasks.exe
2. B. rundll.exe
3. C. cmd.exe
4. D. chgusr.exe
5. E. sc.exe
6. F. netsh.exe

Correct Answer: AE
To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.
✑ schtasks.exe:
schtasks /create /tn "Backdoor" /tr "C:\path\to\backdoor.exe" /sc daily /ru SYSTEM
✑ sc.exe:
sc create backdoor binPath= "C:\path\to\backdoor.exe" start= auto
✑ Other Utilities:
Pentest References:
✑ Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation.
✑ Windows Tools: Understanding how to leverage built-in Windows tools like
schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.
By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.
=================

A penetration tester needs to confirm the version number of a client's web application server. Which of the following techniques should the penetration tester use?

1. A. SSL certificate inspection
2. B. URL spidering
3. C. Banner grabbing
4. D. Directory brute forcing

Correct Answer: C
Banner grabbing is a technique used to obtain information about a network service, including its version number, by connecting to the service and reading the response.
✑ Understanding Banner Grabbing:
✑ Manual Banner Grabbing:
Step-by-Step Explanationtelnet target_ip 80
✑ uk.co.certification.simulator.questionpool.PList@5af47689 nc target_ip 80
✑ Automated Banner Grabbing: nmap -sV target_ip
✑ Benefits:
✑ References from Pentesting Literature: References:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================

During a security assessment, a penetration tester needs to exploit a vulnerability in a wireless network's authentication mechanism to gain unauthorized access to the network. Which of the following attacks would the tester most likely perform to gain access?

1. A. KARMA attack
2. B. Beacon flooding
3. C. MAC address spoofing
4. D. Eavesdropping

Correct Answer: A
To exploit a vulnerability in a wireless network's authentication mechanism and gain unauthorized access, the penetration tester would most likely perform a KARMA attack.
✑ KARMA Attack:
✑ Purpose:
✑ Other Options:
Pentest References:
✑ Wireless Security Assessments: Understanding common attack techniques such as KARMA is crucial for identifying and exploiting vulnerabilities in wireless networks.
✑ Rogue Access Points: Setting up rogue APs to capture credentials or perform man-in-the-middle attacks is a common tactic in wireless penetration testing.
By performing a KARMA attack, the penetration tester can exploit the wireless network's authentication mechanism and gain unauthorized access to the network.
=================

A penetration tester needs to complete cleanup activities from the testing lead. Which of the following should the tester do to validate that reverse shell payloads are no longer running?

1. A. Run scripts to terminate the implant on affected hosts.
2. B. Spin down the C2 listeners.
3. C. Restore the firewall settings of the original affected hosts.
4. D. Exit from C2 listener active sessions.

Correct Answer: A
To ensure that reverse shell payloads are no longer running, it is essential to actively terminate any implanted malware or scripts. Here??s why option A is correct:
✑ Run Scripts to Terminate the Implant: This ensures that any reverse shell payloads or malicious implants are actively terminated on the affected hosts. It is a direct and effective method to clean up after a penetration test.
✑ Spin Down the C2 Listeners: This stops the command and control listeners but does not remove the implants from the hosts.
✑ Restore the Firewall Settings: This is important for network security but does not directly address the termination of active implants.
✑ Exit from C2 Listener Active Sessions: This closes the current sessions but does not ensure that implants are terminated.
References from Pentest:
✑ Anubis HTB: Demonstrates the process of cleaning up and ensuring that all implants are removed after an assessment.
✑ Forge HTB: Highlights the importance of thoroughly cleaning up and terminating any payloads or implants to leave the environment secure post-assessment.
=================

A penetration tester creates a list of target domains that require further enumeration. The tester writes the following script to perform vulnerability scanning across the domains:
line 1: #!/usr/bin/bash
line 2: DOMAINS_LIST = "/path/to/list.txt" line 3: while read -r i; do
line 4: nikto -h $i -o scan-$i.txt & line 5: done
The script does not work as intended. Which of the following should the tester do to fix the script?

1. A. Change line 2 to {"domain1", "domain2", "domain3", }.
2. B. Change line 3 to while true; read -r i; do.
3. C. Change line 4 to nikto $i | tee scan-$i.txt.
4. D. Change line 5 to done < "$DOMAINS_LIST".

Correct Answer: D
The issue with the script lies in how the while loop reads the file containing the list of domains. The current script doesn't correctly redirect the file's content to the loop. Changing line 5 to done < "$DOMAINS_LIST" correctly directs the loop to read from the file.
Step-by-Step Explanation
✑ Original Script: DOMAINS_LIST="/path/to/list.txt" while read -r i; do
nikto -h $i -o scan-$i.txt & done
✑ Identified Problem:
✑ Solution: DOMAINS_LIST="/path/to/list.txt" while read -r i; do
nikto -h $i -o scan-$i.txt & done < "$DOMAINS_LIST"
✑ Explanation
✑ References from Pentesting Literature:
=================