PT0-003 Exam Dumps - CompTIA PenTest+ Exam

DIR_MODE=0777 configures new home directories to be created world-readable, world-writable, and world-executable (rwxrwxrwx). With such permissive permissions, any unprivileged local user can traverse into other users’ home directories, list files, read them, and even modify or replace them. That makes exposure of other users’ sensitive data the most likely and immediate outcome once the tester has any local user account.

Why the other options are less likely:

B. Unauthorized sudo execution: Requires membership in sudo/wheel or explicit entries in /etc/sudoers. Nothing in the snippet indicates that, and file mode on home dirs doesn’t grant sudo.

C. Hijacking default login shells: DSHELL=/bin/zsh only sets the default shell for new users. Replacing /bin/zsh or altering /etc/passwd would require root.

D. Corrupting the skeleton configuration: SKEL=/etc/systemd-conf/temp-skeleton is under /etc/…, which is root-owned on standard systems. A normal user cannot write there, so “corrupting the skeleton” is unlikely without privilege escalation.

Practical exploitation as a non-privileged user (illustrative):

# Find world-writable homes

find /home -maxdepth 1 -type d -perm -0002 -ls

# Read another user's files

cd /home/targetuser && ls -la && cat Documents/tax_return.pdf

(Depending on per-file permissions.)

CompTIA PenTest+ PT0-003 Objective Mapping (for study):

Domain 3.0 Attacks and Exploits

3.1 Exploit system vulnerabilities and misconfigurations (e.g., insecure file permissions leading to data exposure/privilege abuse).

Badge cloning typically involves copying the data from access control badges, which frequently utilize the following technologies:

NFC (Near-Field Communication):

NFC is a subset of RFID technology that operates at short ranges (up to 10 cm). It is commonly used in modern access control systems, payment systems, and badge technologies. NFC cloning tools can intercept and copy badge data.

RFID (Radio-Frequency Identification):

RFID operates over a broader range of frequencies and distances than NFC. Many legacy access systems use RFID badges, which are susceptible to cloning attacks using RFID readers and cloning devices.

Exclusions:

Bluetooth, Modbus, Zigbee, CAN bus are not typically used in badge-based access control systems and are unrelated to badge cloning.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Domain 4.0 (Penetration Testing Tools)

When a penetration tester discovers hard-coded credentials in a file within an unprotected source code repository, the next steps should focus on documentation and further investigation to identify additional security issues.

Taking a Screen Capture (Option B):

Documentation: It is essential to document the finding for the final report. A screen capture provides concrete evidence of the discovered hard-coded credentials.

Audit Trail: This ensures that there is a record of the vulnerability and can be used to communicate the issue to stakeholders, such as the development team or the client.

Investigating for Other Embedded Passwords (Option C):

Thorough Search: Finding one hard-coded password suggests there might be others. A thorough investigation can reveal additional credentials, which could further compromise the security of the system.

Automation Tools: Tools like truffleHog, git-secrets, and grep can be used to scan the repository for other instances of hard-coded secrets.

Pentest References:

Initial Discovery: Discovering hard-coded credentials often occurs during source code review or automated scanning of repositories.

Documentation: Keeping detailed records of all findings is a critical part of the penetration testing process. This ensures that all discovered vulnerabilities are reported accurately and comprehensively.

Further Investigation: After finding a hard-coded credential, it is best practice to look for other security issues within the same repository. This might include other credentials, API keys, or sensitive information.

Steps to Perform:

Take a Screen Capture:

Use a screenshot tool to capture the evidence of the hard-coded credentials. Ensure the capture includes the context, such as the file path and relevant code lines.

Investigate Further:

Use tools and manual inspection to search for other embedded passwords.

Commands such as grep can be helpful:

grep -r 'password' /path/to/repository

Tools like truffleHog can search for high entropy strings indicative of secrets:

trufflehog --regex --entropy=True /path/to/repository

By documenting the finding and investigating further, the penetration tester ensures a comprehensive assessment of the repository, identifying and mitigating potential security risks effectively.

=================

Breach and Attack Simulation (BAS) tools emulate real-world attacks to test security controls.

Atomic Red Team (Option C):

Atomic Red Team is an open-source BAS framework that provides simple commands to simulate MITRE ATT&CK® techniques.

It allows controlled adversary simulations without real exploitation.

The tool that the penetration tester should use for further investigation is WPScan. This is because WPScan is a WordPress vulnerability scanner that can detect common WordPress security issues, such as weak passwords, outdated plugins, and misconfigured settings. WPScan can also enumerate WordPress users, themes, and plugins from the robots.txt file.

The two entries in the robots.txt file that the penetration tester should recommend for removal are:

Allow: /admin

Allow: /wp-admin

These entries expose the WordPress admin panel, which can be a target for brute-force attacks, SQL injection, and other exploits. Removing these entries can help prevent unauthorized access to the web application’s backend. Alternatively, the penetration tester can suggest renaming the admin panel to a less obvious name, or adding authentication methods such as two-factor authentication or IP whitelisting.

When testing a power plant's network and needing to avoid disruption to the grid, configuring a port mirror and reviewing the network traffic is the most appropriate method to identify vulnerabilities without causing disruptions.

Port Mirroring:

Definition: Port mirroring (SPAN - Switched Port Analyzer) is a method of monitoring network traffic by duplicating packets from one or more switch ports to another port where a monitoring device is connected.

Purpose: Allows passive monitoring of network traffic without impacting network operations or device performance.

Avoiding Disruption:

Non-Intrusive: Port mirroring is non-intrusive and does not generate additional traffic or load on the network devices, making it suitable for sensitive environments like power plants where disruption is not acceptable.

Other Options:

Network Scanner Engine: Active scanning might disrupt network operations or devices, which is not suitable for critical infrastructure.

Testing Framework: Validating vulnerabilities on devices might involve active testing, which can be disruptive.

Network Mapper Tool: Running a network mapper tool (like Nmap) actively scans the network and might disrupt services.

Pentest References:

Passive Monitoring: Passive techniques such as port mirroring are essential in environments where maintaining operational integrity is critical.

Critical Infrastructure Security: Understanding the need for non-disruptive methods in critical infrastructure penetration testing to ensure continuous operations.

By configuring a port mirror and reviewing network traffic, the penetration tester can identify vulnerabilities in the power plant's network without risking disruption to the grid.

=================

RFID Cloning:

RFID (Radio-Frequency Identification) cloning involves copying the data from an access badge and creating a duplicate that can be used for unauthorized entry.

Tools like Proxmark or RFID duplicators are commonly used for this purpose.

Why Not Other Options?

A (Smurfing): A network-based denial-of-service attack, unrelated to physical access.

B (Credential stuffing): Involves using stolen credentials in bulk for authentication attempts, unrelated to badge cloning.

D (Card skimming): Relates to stealing credit card information, not access badges.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

Script Analysis:

Line 1: import requests - Imports the requests library to handle HTTP requests.

Line 2: import pathlib - Imports the pathlib library to handle file paths.

Line 4: for url in pathlib.Path("urls.txt").read_text().split("\n"): - Reads the urls.txt file, splits its contents by newline, and iterates over each URL.

Line 5: response = requests.get(url) - Sends a GET request to the URL and stores the response.

Line 6: if response.status == 401: - Checks if the response status code is 401 (Unauthorized).

Line 7: print("URL accessible") - Prints a message indicating the URL is accessible.

Error Identification:

The condition if response.status == 401: is incorrect for determining if a URL is publicly accessible. A 401 status code indicates that the resource requires authentication.

Correct Condition:

The correct condition should check for a 200 status code, which indicates that the request was successful and the resource is accessible.

Corrected Script:

Replace if response.status == 401: with if response.status_code == 200: to correctly identify publicly accessible URLs.

Pentest References:

In penetration testing, checking the accessibility of multiple URLs is a common task, often part of reconnaissance. Identifying publicly accessible resources can reveal potential entry points for further testing.

The requests library in Python is widely used for making HTTP requests and handling responses. Understanding HTTP status codes is crucial for correctly interpreting the results of these requests.

By changing the condition to check for a 200 status code, the script will correctly identify and print URLs that are publicly accessible.

=================