"},{"@type":"Answer","text":"' OR '1'='1' --"},{"@type":"Answer","text":"../../../../etc/passwd%00"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration testing firm has completed a web application assessment for a healthcare client subject to HIPAA. During testing, the team captured screenshots and database extracts containing protected health information (PHI) to demonstrate exploit impact. As the engagement closes, the client's compliance officer asks how the firm will handle the sensitive data it collected. Which action BEST satisfies the firm's obligations at engagement closeout?","acceptedAnswer":{"@type":"Answer","text":"Follow the data retention and secure destruction procedures defined in the rules of engagement, then provide the client a certificate of destruction"},"suggestedAnswer":[{"@type":"Answer","text":"Retain the captured PHI indefinitely on the firm's servers so it can be referenced if the client disputes any finding"},{"@type":"Answer","text":"Immediately delete all evidence, including the final report, to eliminate any liability for holding PHI"},{"@type":"Answer","text":"Upload the collected PHI to the client's public ticketing system so their staff can independently verify each finding"}]},{"@context":"https://schema.org","@type":"Question","text":"During a kickoff call, a client's IT manager verbally provides a list of IP ranges and web application URLs that are in scope for an upcoming external penetration test. The engagement is scheduled to begin in two days. Which action should the lead tester take BEFORE any active testing to ensure the scope is properly authorized and defensible?","acceptedAnswer":{"@type":"Answer","text":"Obtain a documented, signed scope definition and authorization that explicitly lists the approved IP ranges and URLs"},"suggestedAnswer":[{"@type":"Answer","text":"Begin testing the provided ranges immediately since the IT manager confirmed them during the kickoff call"},{"@type":"Answer","text":"Run a broad discovery scan across the client's entire public ASN to identify any additional assets that might belong in scope"},{"@type":"Answer","text":"Email the IT manager asking them to forward the ranges to the tester's personal mailbox for record keeping"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have permission to map a target's 10.20.30.0/24 subnet. You want to passively correlate live IP addresses with meaningful hostnames without sending traffic to each host directly. Which technique best supports building this network map by leveraging the organization's own DNS infrastructure?","acceptedAnswer":{"@type":"Answer","text":"Run reverse DNS (PTR) lookups against the organization's DNS server for each IP in the range"},"suggestedAnswer":[{"@type":"Answer","text":"Perform an Nmap SYN scan (-sS) across all 254 hosts to identify open ports"},{"@type":"Answer","text":"Send ICMP echo requests to the broadcast address to enumerate responding hosts"},{"@type":"Answer","text":"Query crt.sh certificate transparency logs for the internal subnet"}]}]}
CompTIA PenTest+ (PT0-003) · Difficulty

Medium PT0-003 practice questions

Applied — put a concept to work in a realistic situation. 140 medium questions available — no sign-up, always free.

Question 1 of 25

During the passive reconnaissance phase of an external engagement, a penetration tester wants to build a comprehensive list of the target organization's subdomains without sending any packets directly to the target's infrastructure. The tester needs a tool that aggregates data from third-party sources such as certificate transparency logs, search engine results, and DNS aggregation databases. Which command best supports this goal?

Reviewed for accuracy · Report an issue
Question 2 of 25

During a mobile application assessment, a penetration tester discovers that a corporate Android tablet used for kiosk purposes has ADB (Android Debug Bridge) exposed over the network on TCP port 5555 with no authentication. The tester can already reach the device from their laptop on the same segment. Which command allows the tester to install a repackaged, instrumented version of the target APK onto the device to observe runtime behavior and hook API calls?

Reviewed for accuracy · Report an issue
Question 3 of 25

During an internal engagement, you are positioned on a flat /24 network segment that carries traffic between a group of workstations and a legacy internal web application that authenticates over HTTP. You want to intercept credentials that users submit to this application without deploying a rogue access point or disrupting the entire segment. Which technique will most effectively allow you to capture the plaintext credentials in transit?

Reviewed for accuracy · Report an issue
Question 4 of 25

During an internal engagement, a penetration tester queries Active Directory and discovers several user accounts that have the 'Do not require Kerberos preauthentication' flag set. The tester wants to leverage this misconfiguration to obtain crackable credential material without needing any valid domain account authentication first. Which attack technique should the tester use?

Reviewed for accuracy · Report an issue
Question 5 of 25

During a cloud-focused engagement, you obtain a set of AWS access keys from a compromised developer laptop. Before pivoting, you want to passively determine which permissions the key set actually holds without triggering obvious changes to the environment. Which action is the MOST appropriate first step to enumerate the effective permissions of these credentials?

Reviewed for accuracy · Report an issue
Question 6 of 25

During a cloud penetration test, you gain remote code execution on an Azure Linux VM through a vulnerable web application. You confirm the VM has a system-assigned managed identity attached. Your goal is to leverage this identity to move laterally and access other Azure resources. What is the MOST effective next step?

Reviewed for accuracy · Report an issue
Question 7 of 25

During a physical security assessment of a corporate office, you notice several employees using older Bluetooth-enabled mobile devices that remain in discoverable mode. You want to demonstrate the risk of an attacker extracting contact lists, calendar entries, and emails from these devices without the user's knowledge or authorization. Which attack technique should you use to demonstrate this specific risk?

Reviewed for accuracy · Report an issue
Question 8 of 25

During a web application assessment, your Burp Suite active scan flags a high-severity SQL injection vulnerability on a login form's username parameter. Before including it in your report, you want to confirm the finding is not a false positive with the least intrusive verification method. Which action best confirms the vulnerability?

Reviewed for accuracy · Report an issue
Question 9 of 25

A retail client hires your firm to perform a penetration test to satisfy an annual PCI DSS requirement. During scoping, the client states that their cardholder data environment (CDE) is isolated from the corporate network by firewalls and VLAN segmentation. To properly define the scope of the engagement in line with PCI DSS guidance, which action should the penetration tester prioritize?

Reviewed for accuracy · Report an issue
Question 10 of 25

During the cleanup phase of an authorized internal penetration test, you must restore a compromised Windows Server 2019 host to its pre-test state. Earlier in the engagement, you uploaded a custom credential-dumping tool to C:\Windows\Temp, created a local service named 'SysUpdate' for persistence, and modified a registry Run key. The client's SOW explicitly requires that all testing artifacts be removed and that any actions taken be documented for the final report. Which approach BEST satisfies the cleanup requirements for this engagement?

Reviewed for accuracy · Report an issue
Question 11 of 25

During an authorized cloud penetration test, you gain command execution on an EC2 instance through a vulnerable web application. To escalate access, you want to enumerate the temporary IAM credentials associated with the instance's role. Which action should you take to retrieve those credentials from within the instance?

Reviewed for accuracy · Report an issue
Question 12 of 25

A penetration testing firm is contracted to assess a client's web application that is hosted entirely on a third-party cloud provider's infrastructure (IaaS). The signed contract and rules of engagement between the firm and the client authorize active exploitation of the application. As the lead tester reviews the scope during pre-engagement, which action is MOST important to take before launching any testing activity?

Reviewed for accuracy · Report an issue
Question 13 of 25

During the reconnaissance phase of an authorized cloud assessment for a retail company, a penetration tester wants to discover publicly exposed AWS S3 buckets belonging to the target without generating traffic directly against the client's production infrastructure. The tester has the company name, brand names, and common naming conventions the organization uses. Which approach BEST supports passive discovery of exposed storage buckets while minimizing direct interaction with the target?

Reviewed for accuracy · Report an issue
Question 14 of 25

A penetration tester merges vulnerability scan results from three subnets and receives 4,200 individual findings. Analysis shows that 3,100 of them are variations of 'Missing security patch' reported per-host, and most trace back to a single unpatched base image used across the environment. The tester must present actionable results to a client with a limited remediation window. What is the MOST effective way to analyze and prioritize these findings for the report?

Reviewed for accuracy · Report an issue
Question 15 of 25

During a web application assessment, you find a network diagnostic feature that pings a user-supplied hostname. When you submit '127.0.0.1; whoami' the page returns only the normal ping output with no visible command result, and time-based payloads like '127.0.0.1 && sleep 10' produce no observable delay. You suspect command injection but cannot see any output. Which technique is MOST likely to confirm the vulnerability?

Reviewed for accuracy · Report an issue
Question 16 of 25

During an internal engagement, your vulnerability scanner flags a Windows file server as vulnerable to a critical RCE (CVE-2023-XXXX) affecting a specific print spooler version. The scanner scored it CVSS 9.8. Before adding it to the report as an exploitable critical finding, you want to determine whether the vulnerability is truly present and reachable without crashing the production server. Which action BEST validates this finding while minimizing operational risk?

Reviewed for accuracy · Report an issue
Question 17 of 25

During an internal assessment, your vulnerability scanner returns two CVSS 9.8 findings: (1) an unauthenticated RCE on a lab print server that has no network route to production and stores no data, and (2) an unauthenticated RCE on a domain controller that hosts Active Directory for the entire organization. Both have public, weaponized exploits. Your remediation report must prioritize the findings. Which approach correctly reflects vulnerability prioritization for this engagement?

Reviewed for accuracy · Report an issue
Question 18 of 25

During analysis of a vulnerability scan for an internet-facing web application server, a penetration tester finds several high and critical CVSS-rated findings. The client has limited remediation capacity and asks the tester which vulnerability should be addressed first. All findings have similar CVSS base scores. Which additional data source should the tester consult to identify vulnerabilities that are being actively exploited in the wild by threat actors?

Reviewed for accuracy · Report an issue
Question 19 of 25

During an internal assessment, a penetration tester runs an unauthenticated network vulnerability scan against a fleet of Windows workstations. The report shows only a handful of network-service findings, yet the client insists their patch management is inconsistent and many local application vulnerabilities likely exist. The tester wants the most accurate view of missing OS and third-party patches (e.g., outdated Adobe Reader, unpatched local privilege-escalation flaws) without deploying agents. What should the tester do next?

Reviewed for accuracy · Report an issue
Question 20 of 25

During an internal network penetration test, you discover an actively exploited vulnerability on a domain controller, along with evidence suggesting a previously unknown third-party breach. The rules of engagement specify weekly status reports and a named technical point of contact. What is the most appropriate immediate action?

Reviewed for accuracy · Report an issue
Question 21 of 25

During passive reconnaissance of a target organization, a penetration tester wants to discover subdomains and internal-sounding hostnames (such as vpn.example.com and dev-api.example.com) without sending any packets to the target's infrastructure. Which technique will BEST accomplish this goal?

Reviewed for accuracy · Report an issue
Question 22 of 25

During a web application assessment of a customer feedback portal, you notice that submitted comments are later exported by administrators into a CSV file and opened in Microsoft Excel. You want to test whether you can achieve code execution on an administrator's workstation through the data you submit. Which payload should you inject into the comment field to test this vulnerability?

Reviewed for accuracy · Report an issue
Question 23 of 25

A penetration testing firm has completed a web application assessment for a healthcare client subject to HIPAA. During testing, the team captured screenshots and database extracts containing protected health information (PHI) to demonstrate exploit impact. As the engagement closes, the client's compliance officer asks how the firm will handle the sensitive data it collected. Which action BEST satisfies the firm's obligations at engagement closeout?

Reviewed for accuracy · Report an issue
Question 24 of 25

During a kickoff call, a client's IT manager verbally provides a list of IP ranges and web application URLs that are in scope for an upcoming external penetration test. The engagement is scheduled to begin in two days. Which action should the lead tester take BEFORE any active testing to ensure the scope is properly authorized and defensible?

Reviewed for accuracy · Report an issue
Question 25 of 25

During an internal engagement, you have permission to map a target's 10.20.30.0/24 subnet. You want to passively correlate live IP addresses with meaningful hostnames without sending traffic to each host directly. Which technique best supports building this network map by leveraging the organization's own DNS infrastructure?

Reviewed for accuracy · Report an issue