Free CompTIA PT0-003 Practice Questions 2026 - Page 11

Explanation:

Wi-Fi networks operate on specific channels within the 2.4 GHz and 5 GHz bands. If a client’s cell phone cannot see a particular SSID, the most likely cause is that the access point (AP) is broadcasting on a channel not currently being scanned by the phone's Wi-Fi adapter. Channel scanning forces the wireless interface to cycle through all available channels (e.g., 1–11 in 2.4 GHz, 36–165 in 5 GHz) to discover hidden or non-default channel SSIDs. This is the standard troubleshooting step for missing networks.

Why other options are incorrect

A. Sidecar scanning
– Not a standard Wi-Fi troubleshooting term. May refer to side-channel attacks or companion device scanning, but irrelevant to SSID discovery.

C. Stealth scanning
– Typically refers to隐蔽 port scanning techniques (e.g., SYN scan) in network penetration testing, not Wi-Fi SSID detection. Does not apply to wireless network discovery.

D. Static analysis scanning
– Used in software security (binary or code analysis without execution). Completely unrelated to wireless network troubleshooting.

References

CompTIA PenTest+ PT0-003 – Domain 2.3 (Wireless Network Scanning): "Perform channel scanning to discover SSIDs not visible on default channels."

IEEE 802.11 standards – Channel scanning (passive listening + active probes) is required for AP discovery.

Explanation:

The scan reveals that /cgi-bin/debug.sh requires no authentication and is accessible via Apache with mod_cgi enabled. CGI scripts are executed on the server when requested. Reviewing the contents of debug.sh is the most effective immediate action because:

It may contain hardcoded credentials, debug commands, or system calls.
It could allow command injection or direct remote code execution.
This is a low-effort, high-impact information gathering step before any exploitation.

Why other options are incorrect

A. msfvenom + /admin upload
– /admin has directory listing enabled, but that does not guarantee write permissions. Uploading a payload may fail due to missing file write access or upload functionality. Premature without understanding the environment.

C. Nikto scan on port 80
– Nikto is a web vulnerability scanner, but the tester already has specific actionable intelligence (CGI script with no auth). Running a full Nikto scan is redundant and slower than directly reviewing the script.

D. Brute-force against OpenSSH 7.2p2
– SSH brute-forcing is noisy, time-consuming, and may trigger lockouts or alerts. No indication of weak SSH credentials. Higher risk and lower priority than exploiting an already discovered unauthenticated CGI script.

References

CompTIA PenTest+ PT0-003 – Domain 3.2 (Exploits): "Abuse misconfigured CGI scripts for remote code execution."

OWASP Testing Guide – Testing for CGI vulnerabilities (CVE-2014-6271 Shellshock, command injection).

Apache mod_cgi documentation – CGI scripts execute with web server privileges; unauthenticated access is a critical finding.

Explanation:

sqlmap is an open-source tool specifically designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications. It supports multiple database backends (MySQL, MSSQL, Oracle, PostgreSQL), can extract data, bypass WAF rules, and even gain OS shell access. For testing a web application's security, SQL injection remains one of the most critical and common flaws, and sqlmap is the industry-standard tool for this purpose.

Why other options are incorrect

A. OpenVAS – A full-featured vulnerability scanner for networks and hosts (e.g., missing patches, weak configs). It is not specialized for web application logic flaws like SQLi or XSS.

B. Nessus – Another network vulnerability scanner. While it includes some web application checks, it is not as deep or flexible as dedicated web app testing tools like sqlmap or Burp Suite.

D. Nikto – A web server scanner that checks for outdated server versions, dangerous files, and common misconfigurations. It does not actively exploit SQL injection or deeply test application logic.

References:

CompTIA PenTest+ PT0-003 – Domain 2.4 (Web Application Scanning): "Use sqlmap to detect and exploit SQL injection vulnerabilities."

OWASP Top 10 – A1:2021 – Broken Access Control / A3:2021 – Injection (SQLi). sqlmap is the referenced tool for SQLi automation.

Explanation:

In /etc/passwd, the third and fourth fields are UID (user ID) and GID (group ID). The value 0 represents root privileges. By setting 1001:1001, the new user root2 will have standard non-privileged user rights, not root. Changing these to 0:0 makes root2 an alternative root account with full system access. This is a common persistence technique after obtaining write access to /etc/passwd.

Why other options are incorrect

A. Use only a single redirect
– The command already uses >> (append). A single > would overwrite /etc/passwd, breaking the system. The double redirect is correct for appending.

B. Generate the password using md5sum
– The openssl passwd output shows $1$ prefix, which indicates MD5-based crypt (already correct). md5sum alone does not produce a valid password hash format for /etc/passwd.

C. Log in to the host using SSH
– SSH login is irrelevant to making the exploit work. The exploit modifies /etc/passwd locally; SSH may be used later to test access but is not required for the exploit to function.

References

CompTIA PenTest+ PT0-003 – Domain 3.4 (Privilege Escalation & Persistence): "Modify /etc/passwd to add root user with UID 0."

Linux /etc/passwd format – username:password:UID:GID:GECOS:home:shell – UID 0 = root.

MITRE ATT&CK T1136.001 – "Create Account: Local Account" with root UID.

Explanation:

Reverse DNS lookups query DNS servers to map IP addresses back to hostnames. This method generates standard DNS traffic (UDP/TCP 53), which is almost never blocked or alerted by IPS because DNS is essential for normal network operations. No raw packets are sent to target IPs directly, so it bypasses IPS signature detection that triggers on ICMP, ARP, or SYN scans. This is a passive or low-noise discovery technique when the tester already has access to the local network segment and DNS servers.

Why other options are incorrect

B. Nmap ping sweep
– Sends ICMP echo requests, TCP SYN/ACK, or ARP probes. These are actively scanned and easily detected by IPS signatures (e.g., "ICMP sweep," "port scan").

C. LLMNR poisoning using Responder
– Actively listens and responds to LLMNR/NBT-NS requests. This is not a host discovery method; it's a spoofing attack for credential theft. It also generates suspicious traffic that some IPS can detect.

D. Viewing local routing table
– Shows the tester's own routing information (default gateway, local subnets). It does not identify other hosts on the network.

References

CompTIA PenTest+ PT0-003 – Domain 2.1 (Passive/Stealth Discovery): "Use DNS interrogation to identify hosts without active scanning."

MITRE ATT&CK T1046 – Network Service Scanning – but reverse DNS is a passive alternative (T1590.005).

Explanation:

Stakeholder alignment ensures that all parties (client management, IT security, legal, compliance, and the testing team) have a shared understanding of the penetration test scope, objectives, rules of engagement, and reporting expectations. When stakeholders are aligned from the start, the final deliverable (report) meets client needs, contains relevant findings, avoids scope disputes, and uses agreed-upon risk ratings. Misalignment is the #1 reason clients reject deliverables due to irrelevant findings, incorrect severity levels, or unexpected testing behaviors.

Why other options are incorrect

A. Goal reprioritization
– Changing goals mid-test can cause confusion and scope creep. It does not prevent rejection; it may increase it if not properly communicated.

C. Non-disclosure agreement (NDA)
– An NDA protects confidentiality but does not address the quality, relevance, or acceptance of the final report.

D. Business impact analysis (BIA)
– BIA identifies critical systems and downtime impacts. While useful for scoping, it does not ensure stakeholder agreement on deliverable format or content.

References

CompTIA PenTest+ PT0-003 – Domain 1.0 (Planning and Scoping): "Stakeholder alignment ensures acceptance of deliverables."

PTES (Penetration Testing Execution Standard) – Pre-engagement interactions require stakeholder agreement on scope, rules, and reporting.

Explanation:

The Social-Engineer Toolkit (SET) includes a credential harvester module that clones a legitimate login page (e.g., intranet portal), hosts it on an attacker-controlled server, and captures any credentials entered by victims. The tester cloned the company's intranet login page and sent the malicious link via email — this is a classic credential harvesting attack using SET’s "Website Attack Vectors" → "Credential Harvester Attack Method." The objective is to steal usernames and passwords, not just click tracking or session hijacking.

Why other options are incorrect

A. Gaining remote access using BeEF
– BeEF (Browser Exploitation Framework) hooks browsers for client-side attacks (e.g., stealing cookies, executing JavaScript). It does not clone login pages for credential harvesting as its primary method.

B. Obtaining the list of email addresses using theHarvester
– theHarvester passively collects email addresses from public sources (search engines, LinkedIn, PGP servers). It does not send phishing emails or clone intranet pages.

D. Launching a phishing campaign using GoPhish – GoPhish is a phishing framework that sends emails and tracks clicks. However, it is not primarily a credential harvester with integrated page cloning. SET is the more specific and correct tool for cloning + harvesting.

References

CompTIA PenTest+ PT0-003 – Domain 3.1 (Social Engineering): "Use SET to clone login pages and harvest credentials."

SET (Social-Engineer Toolkit) documentation – Credential harvester attack vector.

MITRE ATT&CK T1598 – Phishing for Information; T1056.001 (Input Capture: Keylogging via web portals).

Explanation:

The command host -t axfr domain.com dnsl.domain.com requests a DNS zone transfer (AXFR query). -t axfr specifies the transfer type, domain.com is the zone requested, and dnsl.domain.com is the target DNS server. A successful zone transfer returns all DNS records (A, MX, NS, TXT, etc.) for the domain, revealing internal hostnames and network architecture. This is a classic information gathering technique often restricted to trusted secondary DNS servers but sometimes misconfigured to allow any client.

Why other options are incorrect

B. Host enumeration
– Broad term for discovering hosts (e.g., ping sweeps, DNS brute force). Zone transfer is a specific type of DNS enumeration, but the question asks for the technique best described by the exact command.

C. DNS poisoning
– Corrupting DNS cache to redirect traffic (e.g., spoofed responses). The host -t axfr command performs a legitimate query, not an injection or spoofing attack.

D. DNS query
– Too generic. A standard query (e.g., host domain.com) returns a single record. The -t axfr flag specifically requests a zone transfer, which is a distinct operation.

References

CompTIA PenTest+ PT0-003 – Domain 2.1 (Information Gathering): "Perform DNS zone transfers to enumerate internal hosts."

RFC 5936 – DNS Zone Transfer Protocol (AXFR).

Explanation:

Nmap’s UDP scan (-sU) sends an empty UDP packet to the target port. If it receives a UDP response (e.g., SNMP trap or protocol-specific reply), the port is marked open. If it receives an ICMP port unreachable error, the port is closed. If no response is received at all (due to filtering, packet loss, or silent services), Nmap marks the port open|filtered. SNMP (port 161) often does not reply to empty UDP probes — it waits for a properly formatted SNMP GET request. Since snmpwalk later succeeded with valid responses, the port is truly open, but the initial probe received no reply, causing the open|filtered state.

Why other options are incorrect

A. SNMP daemon delayed response
– UDP scan timeouts are fixed (default ~1s). SNMP typically does not respond to empty probes at all, not just delayed.

C. Rate limiting
– No evidence of rate limiting; snmpwalk worked fine. Rate limiting would cause intermittent replies, not complete silence for an empty probe.

D. Lack of root privileges
– Root is not required for UDP scans; non-root users can send raw UDP packets. Root is needed for SYN scans (-sS) or certain OS detection features.

References

CompTIA PenTest+ PT0-003 – Domain 2.2: "Interpret Nmap UDP scan states (open|filtered)."

Nmap documentation – UDP scan: no response = open|filtered; ICMP unreachable = closed.

SNMP behavior – Port 161 ignores malformed/empty UDP packets; requires proper community string and OID request.

Explanation:

The command searches the entire filesystem (find /) for files owned by root (-user root) with the SETUID bit set (-perm -4000). SETUID files execute with the owner's privileges (root), even when run by a non-root user. Misconfigured or vulnerable SETUID binaries are a common privilege escalation vector. The tester is enumerating special permissions (SETUID) to identify potential privilege escalation paths — not general permissions, but specifically the SETUID permission bit.

Why other options are incorrect

A. Attack path mapping
– Too broad; refers to mapping multi-step attack chains. This command is a specific enumeration for one vulnerability type (SETUID binaries).

B. API keys
– Not relevant. API keys are typically found in config files, environment variables, or source code — not identified by searching for SETUID root files.

C. Passwords
– Passwords are stored in /etc/shadow, configuration files, or databases. This command does not search for password artifacts.

References
CompTIA PenTest+ PT0-003 – Domain 3.4 (Privilege Escalation): "Enumerate SETUID binaries for privilege escalation."
Linux file permissions – -4000 = SETUID bit; find -perm checks permission masks.
MITRE ATT&CK T1548.001 – "Abuse Elevation Control Mechanism: Setuid and Setgid."
GTFOBins – Documents exploitable SETUID binaries for privilege escalation.