CompTIA PT0-003 Practice Test 2026

Explanation:

The tester has compromised a Windows endpoint in an Active Directory domain and wants to leverage credentials to authenticate into other systems. Mimikatz can extract plaintext passwords, NTLM hashes, and Kerberos tickets from LSASS memory. These credentials can then be used for pass-the-hash, pass-the-ticket, or simply logging in with recovered plaintext passwords to move laterally to other domain-joined systems. This directly achieves the goal.

Why other options are incorrect

B. Hashcat to crack local user password
– Cracking a local user password does not help authenticate to other domain systems. Domain authentication requires domain credentials, not local account credentials.

C. Evil-WinRM
– A tool for remote management using WinRM. It requires valid credentials first. The tester needs to obtain credentials before using Evil-WinRM.

D. Metasploit payload creation
– Uploading payloads to other systems is lateral movement, but the tester first needs valid credentials or an exploit. The question specifies "leverage credentials" — Mimikatz extracts them first.

References

CompTIA PenTest+ PT0-003– Domain 3.4 (Lateral Movement): "Use Mimikatz to extract credentials for lateral movement."

MITRE ATT&CK T1003.001 – "Credential Dumping: LSASS Memory" (Mimikatz).

Explanation:

The email targets the Chief Financial Officer (CFO), a high-profile executive, with a fraudulent invoice and threat of license suspension. This is a highly targeted attack against a senior executive, which fits the definition of whaling—a subtype of spear phishing aimed at "whales" (C-suite or high-value individuals).

✔️ Correct Option:

A. Whaling – Whaling specifically targets senior executives like CFOs, CEOs, or presidents. The email addresses the CFO directly, references a "recent meeting" (social engineering to build trust), and uses urgency. The mention of billing system licenses adds business context, making it tailored for an executive rather than a general employee.

❌ Incorrect options:

B. Phishing – Phishing is broad, untargeted, and sent to many recipients. This email is personalized to the CFO with specific business details. Phishing lacks the executive-level targeting seen here.

C. Spear phishing – While this is technically a form of spear phishing, whaling is the more precise answer because the target is a C-level executive. CompTIA distinguishes whaling as a separate category when the target is a "whale."

D. Vishing – Vishing uses voice calls or voicemail, not email. This attack is delivered via written email, so vishing does not apply.

🔧 Reference:
→ CompTIA PenTest+ PT0-002 Cert Guide – Confirms whaling as a distinct social engineering category alongside spear phishing and phishing

Explanation
The scenario describes a classic kiosk escape attack. Let's break down the key elements:

Environment:
A SCADA workstation that is running a single application. This is a common security measure to lock down the interface and prevent users from accessing the underlying operating system, effectively turning the workstation into a "kiosk."

Attack Vector:
The tester finds a way within the application itself to open a terminal window (command prompt, shell, etc.).

Result:
The tester gains access to the underlying OS.
This entire process—bypassing the restricted "kiosk" mode to gain unauthorized access to the host system—is the definition of a kiosk escape attack. The vulnerability is often found in the application's features (e.g., a help menu that allows launching a browser, which can then be used to access the local file system) or misconfigurations in the kiosk lockdown software.

Why the Other Options Are Incorrect
B. Arbitrary code execution:
This is a broader term for a vulnerability that allows an attacker to run any code of their choice. While a successful kiosk escape involves executing code (e.g., cmd.exe), the specific goal and context of breaking out of a single-application environment make "kiosk escape" the more precise answer. Arbitrary code execution is the mechanism, but kiosk escape is the attack type.

C. Process hollowing:
This is a specific malware technique where a legitimate process is created in a suspended state, its memory is "hollowed out" and replaced with malicious code, and then it is resumed. This is a method for evading detection, not for breaking out of a kiosk mode.

D. Library injection:
This is another technique where code is injected into a running process by forcing it to load a malicious dynamic-link library (DLL). Like process hollowing, it is a code execution technique but not descriptive of the overall goal of escaping a restricted application environment.

Reference
Kiosk escape is a well-known attack vector in penetration testing, especially in operational technology (OT) environments like SCADA systems where workstations are often locked down. The PenTest+ exam objectives (Domain 3.3: Given a scenario, perform post-exploitation techniques) include understanding attacks against constrained environments, which this scenario perfectly exemplifies.

Explanation:

The request is a POST to /services/v1/users/create with an Authorization: Bearer (FUZZ) header. The (FUZZ) indicates the tester is using a fuzzer to test different Bearer token values. This is API abuse — specifically, testing for broken authentication or privilege escalation by attempting to use forged, stolen, or missing tokens to create user accounts without proper authorization. The tester is abusing the API endpoint's access control mechanism.

Why other options are incorrect

A. Directory traversal
– Involves ../ sequences to access files outside the web root. The request shows no path traversal patterns.

C. Server-side request forgery (SSRF)
– Forces the server to make requests to internal or external resources. The request is a standard API call, not an SSRF payload.

D. Privilege escalation
– While the goal may be privilege escalation, the attack technique itself is API abuse (fuzzing Bearer tokens to escalate privileges). Privilege escalation is the outcome, not the method.

References

CompTIA PenTest+ PT0-003 – Domain 3.2 (Web Application Attacks): "API abuse including token fuzzing and broken access control."

OWASP API Security Top 10 – API1:2023 (Broken Object Level Authorization), API2:2023 (Broken Authentication).

Explanation:

This question tests knowledge of network protocol vulnerabilities that specifically target encrypted communications. The key condition is that the vulnerability must allow encrypted traffic to be intercepted and manipulated. Only one option directly targets the SSL/TLS encryption protocol stack and enables an attacker to decrypt and manipulate encrypted sessions through a cryptographic weakness.

✅ Option C — CVE-202X-YYYY: OpenSSL DROWN Attack (Correct)
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) exploits SSLv2 weaknesses in OpenSSL to decrypt and manipulate encrypted TLS communications. An attacker intercepts TLS sessions and uses the vulnerable SSLv2 support to perform cryptographic attacks, breaking encryption on modern connections. This directly satisfies the requirement of intercepting and manipulating encrypted communications over a common network protocol.

❌ Option A — CVE-202W-ZZZZ: Cisco ASA IKEv2/IPSec Fragmentation Vulnerability
This vulnerability exploits fragmentation handling weaknesses in Cisco ASA's IPSec implementation. While it targets a network security appliance, its primary impact is denial-of-service or device instability through malformed packets — not the interception or active manipulation of encrypted communication sessions between endpoints.

❌ Option B — CVE-202Y-XXXX: Wireshark SSL/TLS Decryption Vulnerability
Wireshark is a packet capture and analysis tool — not a network communication protocol. A vulnerability in Wireshark would affect the analysis software itself, not the underlying SSL/TLS protocol stack. It does not represent a protocol-level weakness that enables active interception or manipulation of live encrypted communications.

❌ Option D — CVE-202Z-WWWW: Microsoft SMBv1 EternalBlue Exploit
EternalBlue exploits a buffer overflow in Microsoft's SMBv1 protocol to achieve remote code execution on Windows systems. While it targets a common network protocol, SMBv1 communications are not encrypted — its primary impact is unauthorized code execution and lateral movement, not interception or manipulation of encrypted traffic.

🔧 Reference:
→ CompTIA PenTest+ (PT0-003) Exam Objectives — Domain 3: Attacks & Exploits
Explicitly covers network protocol vulnerabilities, cryptographic attack techniques, and exploitation of weaknesses in encrypted communication protocols as testable competencies under the attacks and exploits domain.

Explanation:

The Nmap output shows port 2222/tcp open ssh instead of the default SSH port 22. The tester is likely attempting to connect to port 22 (default SSH) and failing, assuming the service is missing or blocked. However, SSH is actively running on port 2222. The connectivity issue is simply that the tester is using the wrong port.

Why other options are incorrect

B. SSH service blocked by firewall – Nmap shows port 2222 as open, meaning no firewall is blocking it. If blocked, Nmap would show filtered or closed.

C. SSH requires certificate authentication – This affects authentication, not connectivity. The tester would still establish a TCP connection to the correct port.

D. SSH service is not active – Nmap confirms SSH is active and listening on port 2222.

References

CompTIA PenTest+ PT0-003 – Domain 2.2 (Network Scanning): "Interpret Nmap output to identify non-standard service ports."

Nmap documentation – open state means a service is actively listening on that port.

Common misconfiguration – SSH moved from port 22 to another port (e.g., 2222) for obscurity or to avoid automated scans.

Explanation:

The client is concerned about the availability of its consumer-facing production application. The Perimeter network web server is the only host directly exposed to external consumers. A compromise or disruption of this server would directly impact customer availability. Servers 1, 2, and 4 are internal (development, back-office, QA) and do not affect consumer-facing production availability as directly as the perimeter web server.

Why other options are incorrect

A. Development sandbox server – Internal, non-production. Not consumer-facing. Exploitation here does not affect customer availability.

B. Back-office file transfer server – Internal business function. May be important for operations but not directly consumer-facing.

D. Developer QA server – Quality assurance/internal testing. No direct impact on consumer availability.

References

CompTIA PenTest+ PT0-003 – Domain 1.0 (Planning and Scoping): "Prioritize testing based on business impact and asset criticality."

NIST SP 800-115 – Risk-based testing prioritization: external-facing assets have higher availability impact.

Business impact analysis (BIA) – Consumer-facing production systems are critical for availability.

Explanation:

This question assesses your knowledge regarding vulnerability prioritization and risk management in penetration testing. It tests your ability to evaluate which asset poses the greatest risk and requires manual testing based on its exposure and business impact.

Option A
❌ This option is incorrect because the development sandbox server is primarily used for testing and development rather than being customer-facing, posing a lower immediate risk to production operations.

Option B
❌ This option is incorrect because the back office file transfer server is typically an internal-facing asset, which is less exposed to external threats than the perimeter network.

Option C
✔️ This option is correct because the perimeter network web server (Server 3) is an internet-facing asset, making it highly exposed to external attackers. Even with a lower number of high-severity vulnerabilities, an exploit on this system could provide direct access to the internal network and directly impact customer-facing operations or availability.

Option D
❌ This option is incorrect because the developer QA server is an internal testing environment that does not directly expose the consumer-facing production application to external threats.

Reference
CompTIA PenTest+ Certification confirms the skills related to vulnerability prioritization and risk assessment.

Explanation:

Password spraying is a targeted brute-force attack where a few commonly used passwords are tested against a large number of usernames to avoid account lockouts. To execute this successfully using the tools provided, a specific logical workflow must be followed: Define Variables → Gather Data → Refine List → Prepare Plan → Execute.

Step 3 (Variables): First, the tester must define the environment variables (users, allwords, pass, etc.). Without these paths being set in the shell, subsequent commands referring to $pass or $plan would fail.

Step 5 (CeWL): The tester uses CeWL (Custom Word List Generator) to spider the target website (www.example.com). This gathers keywords unique to the company's culture, products, or industry to create a raw wordlist (sailwords).

Step 1 (pw-inspector):The raw wordlist from CeWL is piped through pw-inspector. This refines the list by applying specific criteria (like a minimum length of 8 characters and containing a symbol) to ensure the words match the target's password policy.

Step 4 (Spray365 Generate): With a refined password list and a user list, the tester uses Spray365 to generate an execution plan. This step maps which passwords will be tried against which users and sets the timing to avoid detection.

Step 2 (Spray365 Spray): Finally, the tester executes the "spray" command using the previously generated execution plan to begin the actual authentication attempts against the target domain.

Incorrect Options Analysis

Options B, C, and D:
These are incorrect because they violate the functional dependencies of the tools. For example, you cannot "generate" a plan (Step 4) or "spray" (Step 2) until you have gathered and inspected the wordlist (Steps 5 and 1). Similarly, defining variables (Step 3) must happen before those variables are called in other commands.

References

CompTIA PenTest+ (PT0-003) Objective 3.2:Given a scenario, perform network-based attacks (Password Attacks).

MITRE ATT&CK Framework: Technique T1110.003 (Brute Force: Password Spraying).

Explanation:

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS TXT record that instructs email receivers how to handle messages that fail SPF or DKIM authentication checks. It allows domain owners to set policies such as "reject" or "quarantine" for unauthenticated emails. This directly prevents attackers from spoofing the domain in phishing campaigns, as receiving mail servers will block or flag emails that do not pass verification. Without DMARC, SPF alone is insufficient because it does not define an action for failures.

Why other options are incorrect

A. MX (Mail Exchange) – Specifies which mail servers accept email for the domain. It has no authentication or anti-spoofing capabilities.

B. SOA (Start of Authority)
– Contains DNS zone metadata (primary nameserver, admin contact, serial number). Completely unrelated to email security.

D. CNAME (Canonical Name)
– Creates domain aliases (e.g., www to @). Does not affect email authentication or spoofing prevention.

References

CompTIA PenTest+ PT0-003 – Domain 2.1: "DMARC to prevent email spoofing and phishing attacks."

RFC 7489 – DMARC specification.

MITRE ATT&CK T1585.002 – "Phishing for Information" – DMARC mitigates domain spoofing.

NIST SP 800-177 – Email security recommendations include DMARC deployment.

OWASP Phishing Guide – DMARC, SPF, and DKIM are core anti-phishing DNS records.