PT0-003 Exam Dumps - CompTIA PenTest+ Exam

The command find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null is used to find files with the SUID bit set. SUID (Set User ID) permissions allow a file to be executed with the permissions of the file owner (root), rather than the permissions of the user running the file.

Understanding the Command:

find /: Search the entire filesystem.

-user root: Limit the search to files owned by the root user.

-perm -4000: Look for files with the SUID bit set.

-exec ls -ldb {} \;: Execute ls -ldb on each found file to list it in detail.

2>/dev/null: Redirect error messages to /dev/null to avoid cluttering the output.

Purpose:

Enumerating SUID Files: The command is used to identify files with elevated privileges that might be exploited for privilege escalation.

Security Risks: SUID files can pose security risks if they are vulnerable, as they can be used to execute code with root privileges.

Why Enumerate Permissions:

Identifying SUID files is a crucial step in privilege escalation as it reveals potential attack vectors that can be exploited to gain root access.

References from Pentesting Literature:

Enumeration of SUID files is a common practice in penetration testing, as discussed in various guides and write-ups.

HTB write-ups often detail how finding and exploiting SUID binaries can lead to root access on a target system.

Step-by-Step ExplanationReferences:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

======

In a cloud-hosted VDI scenario, the highest-value next step is typically to identify cloud credentials and configuration artifacts that enable access beyond the single desktop instance. The .aws directory is a well-known location where AWS command-line tooling stores sensitive material such as credential profiles and configuration details (for example, access keys, session tokens, default regions, and named profiles). PenTest+ emphasizes post-exploitation enumeration that targets credential sources capable of expanding access and impact, especially in cloud environments where a single set of keys may permit interacting with storage, compute, identity, and management APIs.

While .ssh can contain private keys useful for pivoting to other servers, in many cloud deployments SSH keys are scoped to specific hosts, whereas cloud access keys can unlock broader control-plane capabilities depending on attached permissions. .zsh_history is valuable for discovering commands and potentially leaked secrets, but it is less direct than immediately checking for structured cloud credentials. User folders like Documents are lower priority compared to credential repositories that can rapidly escalate the assessment’s scope of access.

Software Composition Analysis (SCA) is used to analyze dependencies in applications and identify vulnerable open-source libraries.

Option A (VM - Virtual Machine) ❌: A VM is a computing environment, not a vulnerability detection tool.

Option B (IAST - Interactive Application Security Testing) ❌: IAST analyzes runtime behavior, but it does not specialize in detecting vulnerable libraries.

Option C (DAST - Dynamic Application Security Testing) ❌: DAST scans running applications for vulnerabilities, but it does not analyze open-source libraries.

Option D (SCA - Software Composition Analysis) ✅: Correct.

Identifies security flaws in dependencies.

Used for managing supply chain risks.

📖 Reference: CompTIA PenTest+ PT0-003 Official Guide – Software Composition Analysis (SCA)

PEAP is an 802.1X “enterprise” wireless authentication method that uses a TLS tunnel to protect an inner authentication exchange (commonly username/password–based mechanisms). In PenTest+ wireless assessments, credential collection against enterprise Wi-Fi is most often attempted through rogue access point / evil twin style attacks combined with social engineering and traffic relaying, where the tester stands up an attacker-controlled AP to entice clients to connect and then captures authentication attempts or harvests credentials via a controlled portal/workflow.

WiFi-Pumpkin is a framework designed to rapidly create rogue APs and support interception and credential-harvesting scenarios, aligning with the objective of collecting credentials during a controlled wireless security test. InSSIDer is primarily for wireless discovery and signal/AP enumeration, not credential collection. HackRF One is SDR hardware useful for radio experimentation and analysis, but it is not a complete PEAP credential-harvesting workflow by itself. Aircrack-ng is most associated with WPA/WPA2-PSK capture/cracking and general 802.11 attacks, but it is not the best fit for PEAP credential collection compared with a rogue-AP framework.

Cross-Site Scripting (XSS) is an attack that involves injecting malicious scripts into web pages viewed by other users. Here’s why option C is correct:

XSS (Cross-Site Scripting): This attack involves injecting JavaScript into a web application, which is then executed by the user’s browser. The scenario describes injecting a JavaScript prompt, which is a typical XSS payload.

SQL Injection: This involves injecting SQL commands to manipulate the database and does not relate to JavaScript injection.

SSRF (Server-Side Request Forgery): This attack tricks the server into making requests to unintended locations, which is not related to client-side JavaScript execution.

Server-Side Template Injection: This involves injecting code into server-side templates, not JavaScript that executes in the user’s browser.

References from Pentest:

Horizontall HTB: Demonstrates identifying and exploiting XSS vulnerabilities in web applications​​.

Luke HTB: Highlights the process of testing for XSS by injecting scripts and observing their execution in the browser​​.

======

Windows provides built-in utilities for user enumeration and privilege escalation.

net command (Option C):

The net command is used to list users, groups, and shares on a Windows system:

net user

net localgroup administrators

net group "Domain Admins" /domain

Useful for gathering privilege escalation targets and understanding user permissions.

The unauthorized reprinting of ID badges suggests the penetration tester is attempting physical security penetration testing to gain long-term access.

Option A (Obtain long-term, valid access) ✅: Correct. Cloning or reprinting badges allows persistent access past security checks.

Option B (Disrupt availability) ❌: There is no indication of a denial-of-service attack.

Option C (Change access for valid users) ❌: The goal is not modifying user access, but rather gaining unauthorized access.

Option D (Revoke access for valid users) ❌: The logs show new badges being printed, not revocation.

📖 Reference: CompTIA PenTest+ PT0-003 Official Guide – Physical Security Testing

The tester identified an HTTPS downgrade attack (e.g., SSL stripping). The best mitigation is to enforce HSTS (HTTP Strict Transport Security).

HSTS (Option A):

HSTS (Strict-Transport-Security) ensures that the browser always uses HTTPS, preventing downgrade attacks.

Example header:

Strict-Transport-Security: max-age=31536000; includeSubDomains