CompTIA PenTest+ (PT0-003) · Domain 5 · 14% of exam

Post-exploitation and Lateral Movement

Drill 20 practice questions focused entirely on Post-exploitation and Lateral Movement for the CompTIA PT0-003 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

During the cleanup phase of an authorized internal penetration test, you must restore a compromised Windows Server 2019 host to its pre-test state. Earlier in the engagement, you uploaded a custom credential-dumping tool to C:\Windows\Temp, created a local service named 'SysUpdate' for persistence, and modified a registry Run key. The client's SOW explicitly requires that all testing artifacts be removed and that any actions taken be documented for the final report. Which approach BEST satisfies the cleanup requirements for this engagement?

Reviewed for accuracy · Report an issue
Question 2 of 20

During an authorized engagement, a penetration tester has interactive shell access to a compromised Linux server using a shared service account. Before disconnecting for the day, the tester wants to prevent the commands run during this session from being written to the account's ~/.bash_history file when the shell exits, without altering historical entries that existed before the session began. Which action best accomplishes this goal?

Reviewed for accuracy · Report an issue
Question 3 of 20

During post-exploitation on a compromised Linux web server, you have a low-privileged shell as the user 'www-data'. You run 'getcap -r / 2>/dev/null' and notice that '/usr/bin/python3.9' has 'cap_setuid+ep' set. What is the most effective next step to escalate to root?

Reviewed for accuracy · Report an issue
Question 4 of 20

During a Linux post-exploitation phase, you have a low-privileged shell as user 'webapp'. Enumeration reveals a root-owned cron entry running '/opt/scripts/backup.sh' every five minutes. The script file has permissions '-rwxrwxrwx' and is owned by root. Which action most directly leads to privilege escalation?

Reviewed for accuracy · Report an issue
Question 5 of 20

After compromising a low-privilege account on a Linux web server during an internal engagement, you want to identify additional systems and data that may extend your reach. You run 'mount' and 'cat /etc/fstab' and notice an NFS export from 10.10.20.50 mounted at /mnt/backup with 'rw' access and no root_squash restriction visible. What is the MOST useful next action to leverage this discovery for lateral movement?

Reviewed for accuracy · Report an issue
Question 6 of 20

During a post-exploitation phase, you gain a shell on a compromised Linux web server in a DMZ. Before attempting lateral movement, you want to identify which internal networks this host can reach so you can plan a pivot. The host has no GUI and limited installed tooling. Which command output would MOST directly reveal additional internal subnets the compromised host is configured to route to?

Reviewed for accuracy · Report an issue
Question 7 of 20

After gaining a low-privilege shell on a Linux web server, a penetration tester wants to identify locally running network services and internal listening ports that are not exposed externally, in order to plan lateral movement. Which command provides the most relevant information for this specific goal?

Reviewed for accuracy · Report an issue
Question 8 of 20

During a Linux post-exploitation phase, you gained root on an application server and, to maintain access, appended your public key to /root/.ssh/authorized_keys, added a systemd service that spawns a reverse shell on boot, and modified /etc/sudoers to grant a low-privilege service account NOPASSWD access. The engagement is now ending and the rules of engagement require you to restore the environment to its pre-test state. Which action is MOST important to include in your cleanup so the environment is not left in a weakened security posture?

Reviewed for accuracy · Report an issue
Question 9 of 20

During a Linux post-exploitation phase, you have root on a production application server and need durable persistence that survives reboots but remains low-profile. The client's rules of engagement require that all persistence mechanisms be documented and cleanly removable at engagement end. You are considering an LD_PRELOAD-based technique. Which approach best balances persistence, stealth, and the ability to fully restore the environment during cleanup?

Reviewed for accuracy · Report an issue
Question 10 of 20

During an internal engagement you gained a Meterpreter session on a dual-homed Linux host (10.0.10.5). This host also has an interface on 192.168.50.0/24, a subnet your Kali attack box cannot reach directly. You want to run additional Metasploit modules against hosts in the 192.168.50.0/24 range through the compromised host without setting up separate port forwards for each target port. Which action best achieves this?

Reviewed for accuracy · Report an issue
Question 11 of 20

During an internal engagement, you have a Meterpreter session on a dual-homed Linux host (10.0.5.20). This host also has an interface on 172.16.30.0/24, a segment your attack machine cannot reach directly. You need to connect your local RDP client to a Windows server at 172.16.30.15 on TCP 3389 through the compromised host. Which action most directly accomplishes this?

Reviewed for accuracy · Report an issue
Question 12 of 20

During a Linux post-exploitation phase, you created a persistence mechanism by copying /bin/bash to /tmp/.sysd and setting the SUID bit so you could regain root access. The engagement is now complete, and the rules of engagement require you to restore the environment to its original state. Which action MUST be documented and performed to properly clean up this specific artifact?

Reviewed for accuracy · Report an issue
Question 13 of 20

During a Linux post-exploitation phase, a penetration tester gains root access to a web server through a kernel exploit. The tester wants to maintain reliable access that survives reboots and does not depend on the current vulnerable process, while blending in with normal administrative activity. The server exposes SSH to a management VLAN the tester can reach through an established pivot. Which persistence technique BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 14 of 20

During a post-exploitation phase on a Linux server, you have a low-privileged shell as the user 'svc-app'. Running 'sudo -l' returns that the user may run '/usr/bin/find' as root without a password. Which action MOST directly leverages this misconfiguration to obtain a root shell?

Reviewed for accuracy · Report an issue
Question 15 of 20

During an internal engagement, you have gained a low-privileged shell on a Linux web server as the user 'www-data'. Your goal is to escalate to root. As part of enumerating the host, you want to identify locally installed binaries that could be abused to run commands with elevated privileges due to misconfigured file permissions. Which command should you run first to surface the most likely privilege-escalation candidates?

Reviewed for accuracy · Report an issue
Question 16 of 20

During a Linux post-exploitation engagement, you dropped a compiled binary into /usr/local/bin and modified /etc/systemd/system/backup.service to establish persistence. Before disengaging, the rules of engagement require you to minimize forensic artifacts while documenting all changes for the client. You already removed the persistence files. The blue team uses a file-integrity monitoring tool that alerts on modification timestamps deviating from the package baseline. Which action best addresses the timestamp artifact left by your file operations in the directory?

Reviewed for accuracy · Report an issue
Question 17 of 20

During a Linux post-exploitation phase, you have a low-privilege shell on a build server via a reverse shell that dies whenever your SSH client disconnects or the parent process is reaped. You need your running enumeration tools and callback to survive session termination without installing new packages or triggering the host's file-integrity monitoring, which alerts on new files in /etc, /usr, and cron directories. Which approach best maintains your access under these constraints?

Reviewed for accuracy · Report an issue
Question 18 of 20

During a post-exploitation phase, you have a low-privilege shell on a dual-homed Linux host (eth0 on 10.10.10.0/24, eth1 on 172.16.5.0/24). You lack root and cannot install tools or run a network scanner. Before setting up a pivot, you want to quickly identify which hosts on the internal 172.16.5.0/24 segment this box has recently communicated with, without generating noisy new traffic. Which action best accomplishes this?

Reviewed for accuracy · Report an issue
Question 19 of 20

During an internal engagement, you have compromised a Linux jump host (10.10.1.5) that has SSH access to a second Linux host (10.10.2.9) in a segmented subnet. From 10.10.2.9 you can reach a database server (10.10.3.20) that is unreachable from both your attack box and the jump host. You need your attack box's tools to scan and interact with 10.10.3.20. Which approach correctly establishes reachability to the deepest target?

Reviewed for accuracy · Report an issue
Question 20 of 20

During post-exploitation on a Linux web server, a penetration tester has a shell as the low-privileged 'www-data' account. Enumeration shows that /etc/passwd is world-writable (permissions 666), while /etc/shadow remains root-owned and inaccessible. The tester has access to the 'openssl' binary. Which technique will most reliably escalate privileges to root using this misconfiguration?

Reviewed for accuracy · Report an issue

More PT0-003 practice

Keep going with the other CompTIA PenTest+ (PT0-003) domains, or take a full timed mock exam.

← Back to PT0-003 overview