to determine whether the parameter is also vulnerable to reflected cross-site scripting"},{"@type":"Answer","text":"Submit ' OR '1'='1 to check whether the template engine passes input directly into a backend SQL query"}]}]}
CompTIA PenTest+ (PT0-003) · Difficulty

Hard PT0-003 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 34 hard questions available — no sign-up, always free.

Question 1 of 25

During a cloud application assessment, you notice the web app generates AWS S3 presigned URLs to let users download their own invoice PDFs. A sample URL is: https://invoices.s3.amazonaws.com/user/1042/invoice-2024.pdf?X-Amz-Signature=abc123&X-Amz-Expires=3600&X-Amz-Credential=AKIA...%2Fs3%2Faws4_request. You change the path from user/1042 to user/1001 while keeping the same signature and query parameters. Which outcome should you expect, and what does it reveal?

Reviewed for accuracy · Report an issue
Question 2 of 25

During a black-box external penetration test governed by a signed statement of work, a tester discovers what appears to be evidence of a prior, unauthorized breach in the client's web server logs — including malware and command-and-control artifacts unrelated to the current engagement. The contract contains no specific provision addressing this situation. What is the MOST appropriate immediate action for the tester to take?

Reviewed for accuracy · Report an issue
Question 3 of 25

During an internal engagement, your credentialed scan reports three findings on separate hosts: (1) a low-severity information-disclosure flaw on a web app that leaks internal hostnames and a service account name, (2) a medium-severity SMB signing-not-required setting on a file server, and (3) a low-severity anonymous LDAP bind on a domain controller. Individually each rates below the client's remediation threshold. The client asks why you flagged these as a single high-priority item in your report. Which analysis best justifies elevating the combined risk?

Reviewed for accuracy · Report an issue
Question 4 of 25

During a credentialed authenticated scan of a client's Linux web server, your scanner flags CVE-2021-44228 (Log4Shell) as a high-severity finding based on the Apache HTTP Server banner. Before including it in your report, you must validate whether it is a true positive. Which action provides the strongest evidence that this finding is a false positive?

Reviewed for accuracy · Report an issue
Question 5 of 25

During analysis of a scan report, you find two findings on an internal application server: (1) a CVE with a CVSS base score of 9.8 that requires the attacker to already have local administrative access and for which no public exploit or proof-of-concept exists, and (2) a CVE with a CVSS base score of 7.5 that is remotely exploitable over the network, unauthenticated, and has a weaponized Metasploit module publicly available. Given limited time in the engagement, which finding should you prioritize for exploitation first and why?

Reviewed for accuracy · Report an issue
Question 6 of 25

A penetration tester completes an authenticated scan of a client's environment and must prioritize remediation guidance. Four validated (non-false-positive) findings remain. Given the tester's goal of prioritizing by real-world exploitability and business impact, which finding should be ranked highest?

Reviewed for accuracy · Report an issue
Question 7 of 25

During an internal engagement, you have compromised an account that is a member of a group with the 'Replicating Directory Changes' and 'Replicating Directory Changes All' extended rights on the domain object. You want to obtain the NTLM hash of the KRBTGT account without executing code on a domain controller or triggering endpoint detection on the DC itself. Which technique should you use?

Reviewed for accuracy · Report an issue
Question 8 of 25

During a web application test, you discover an endpoint that fetches remote URLs supplied by the user to generate link previews. The application blocks requests to RFC 1918 addresses and localhost by resolving the hostname once and validating the resulting IP before making the request. You control an external domain and its authoritative DNS server. Which technique most effectively bypasses this filter to reach an internal service?

Reviewed for accuracy · Report an issue
Question 9 of 25

During an internal engagement, you have anonymous (null session) access to a Windows Server that appears to be a domain member. You need to enumerate valid domain user accounts to build a target list for later password spraying. RestrictAnonymous is set such that direct user listing via a null session returns no results, but you can still query the SAM/LSA over SMB. Which technique is MOST likely to yield a list of valid domain usernames in this situation?

Reviewed for accuracy · Report an issue
Question 10 of 25

During analysis of a large scan report, a penetration tester must recommend which vulnerability to prioritize for remediation. Two findings stand out: Finding X has a CVSS base score of 9.8 but an EPSS (Exploit Prediction Scoring System) score of 0.4% and no public exploit; Finding Y has a CVSS base score of 7.5, an EPSS score of 92%, and is actively being weaponized in the wild against internet-facing hosts identical to the client's exposed web server. Which recommendation best reflects risk-based prioritization?

Reviewed for accuracy · Report an issue
Question 11 of 25

During a web application assessment, you notice a front-end proxy and a back-end server disagree on how to determine message length. You craft a request where the front-end honors the Content-Length header while the back-end honors the Transfer-Encoding: chunked header, allowing part of your request to be prepended to the next user's request. Which attack are you performing?

Reviewed for accuracy · Report an issue
Question 12 of 25

During a web application assessment, you intercept a POST request in Burp Suite and notice a base64-encoded parameter that decodes to a byte stream beginning with the hex signature 'AC ED 00 05'. The application is built on Apache Struts and uses this parameter to store session state. Which attack technique is MOST likely to lead to remote code execution against this endpoint?

Reviewed for accuracy · Report an issue
Question 13 of 25

After compromising a low-privilege account on a Linux web server during an internal engagement, you want to identify additional systems and data that may extend your reach. You run 'mount' and 'cat /etc/fstab' and notice an NFS export from 10.10.20.50 mounted at /mnt/backup with 'rw' access and no root_squash restriction visible. What is the MOST useful next action to leverage this discovery for lateral movement?

Reviewed for accuracy · Report an issue
Question 14 of 25

During a Linux post-exploitation phase, you have root on a production application server and need durable persistence that survives reboots but remains low-profile. The client's rules of engagement require that all persistence mechanisms be documented and cleanly removable at engagement end. You are considering an LD_PRELOAD-based technique. Which approach best balances persistence, stealth, and the ability to fully restore the environment during cleanup?

Reviewed for accuracy · Report an issue
Question 15 of 25

During a Linux post-exploitation engagement, you dropped a compiled binary into /usr/local/bin and modified /etc/systemd/system/backup.service to establish persistence. Before disengaging, the rules of engagement require you to minimize forensic artifacts while documenting all changes for the client. You already removed the persistence files. The blue team uses a file-integrity monitoring tool that alerts on modification timestamps deviating from the package baseline. Which action best addresses the timestamp artifact left by your file operations in the directory?

Reviewed for accuracy · Report an issue
Question 16 of 25

During an internal engagement, you have compromised a Linux jump host (10.10.1.5) that has SSH access to a second Linux host (10.10.2.9) in a segmented subnet. From 10.10.2.9 you can reach a database server (10.10.3.20) that is unreachable from both your attack box and the jump host. You need your attack box's tools to scan and interact with 10.10.3.20. Which approach correctly establishes reachability to the deepest target?

Reviewed for accuracy · Report an issue
Question 17 of 25

During a web application assessment, a tester examines an OAuth 2.0 authorization code flow. The authorization server validates the redirect_uri parameter using only a prefix match (it checks that the value begins with https://app.example.com). The tester notices the client application also hosts an open redirect at https://app.example.com/go?url=. Which attack does this combination most directly enable?

Reviewed for accuracy · Report an issue
Question 18 of 25

During an internal engagement, you run both an unauthenticated and a credentialed OpenVAS scan against the same Windows workstation. The unauthenticated scan reports a critical remote code execution vulnerability in an outdated version of a service, but the credentialed scan does not list that finding at all. Local patch records confirm the relevant update was installed last month. Which conclusion best explains the discrepancy, and what should you do?

Reviewed for accuracy · Report an issue
Question 19 of 25

During a web application assessment, a tester notices that an authentication token is passed in a cookie as a base64-encoded, AES-CBC-encrypted blob. When the tester submits a token with a slightly altered final block, the server returns a distinct '500 Internal Server Error' (invalid padding), whereas a semantically invalid but well-padded token returns a '403 Forbidden'. The tester wants to recover the plaintext of the token without knowing the encryption key. Which attack should the tester perform?

Reviewed for accuracy · Report an issue
Question 20 of 25

During an internal network assessment, you produce four validated findings: (1) an unauthenticated remote code execution vulnerability on an isolated lab host with no network route to production, (2) a stored XSS on the internal HR portal used by 400 employees, (3) a plaintext credential set found in a world-readable file share that includes a domain administrator password, and (4) a missing HTTP security header on a public marketing site. Management asks you to rank the single finding that should be remediated first based on realistic exploitability and business impact. Which finding do you place at the top?

Reviewed for accuracy · Report an issue
Question 21 of 25

During an internal network assessment, your credentialed scan returns four confirmed findings. Management asks which one to remediate first based on real-world risk, not just base score. Given the following, which vulnerability should be prioritized for immediate exploitation and remediation?

Reviewed for accuracy · Report an issue
Question 22 of 25

During an internal engagement, you capture NTLMv2 authentication attempts using Responder but need to escalate beyond offline cracking, which is too slow given weak-password policy is enforced. You enumerate the domain and identify several hosts where SMB signing is not required. You want to leverage the captured authentication to gain command execution on one of these hosts. What is the MOST effective next step?

Reviewed for accuracy · Report an issue
Question 23 of 25

During a web application assessment, you confirm a SQL injection vulnerability in a Microsoft SQL Server backend. However, the application returns no error messages, no visible query output, and no measurable time delays when you inject boolean or time-based payloads. Outbound TCP to the internet is blocked, but the database server is permitted to make outbound DNS queries. Which technique is most appropriate to extract data from this database?

Reviewed for accuracy · Report an issue
Question 24 of 25

During a web application assessment, you discover that a comment field on a product review page reflects unsanitized input that persists and executes for every visitor who loads the page. Your goal is to demonstrate impact by capturing authenticated user session tokens. However, testing reveals that the application sets its session cookie with the HttpOnly flag. Which technique should you use to still demonstrate meaningful session-related impact from this stored XSS?

Reviewed for accuracy · Report an issue
Question 25 of 25

During a web application assessment, a penetration tester notices that a 'greeting name' parameter is reflected directly in a rendered page. To test for server-side template injection, the tester submits the payload {{7*7}} and the response body displays '49'. Which follow-up action best confirms the vulnerability can be leveraged for remote code execution on the Flask/Jinja2 backend?

Reviewed for accuracy · Report an issue