PT0-003 Exam Dumps - CompTIA PenTest+ Exam

The DREAD model is a risk assessment framework used to evaluate and prioritize the security risks of an application. It stands for Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability.

Understanding DREAD:

Purpose: Provides a structured way to assess and prioritize risks based on their potential impact and likelihood.

Components:

Damage Potential: The extent of harm that an exploit could cause.

Reproducibility: How easily the exploit can be reproduced.

Exploitability: The ease with which the vulnerability can be exploited.

Affected Users: The number of users affected by the exploit.

Discoverability: The likelihood that the vulnerability will be discovered.

Usage in Threat Modeling:

Evaluation: Assign scores to each DREAD component to assess the overall risk.

Prioritization: Higher scores indicate higher risks, helping prioritize remediation efforts.

Process:

Identify Threats: Enumerate potential threats to the application.

Assess Risks: Use the DREAD model to evaluate each threat.

Prioritize: Focus on addressing the highest-scoring threats first.

References from Pentesting Literature:

The DREAD model is widely discussed in threat modeling and risk assessment sections of penetration testing guides.

HTB write-ups often include references to DREAD when explaining how to assess and prioritize vulnerabilities in applications.

Step-by-Step ExplanationReferences:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

======

Responder is a tool used for capturing and analyzing NetBIOS, LLMNR, and MDNS queries to perform various man-in-the-middle (MITM) attacks. It can be used to capture hashed credentials, which can then be cracked offline. Using Responder has the least impact on the host ' s operating stability compared to more aggressive methods like buffer overflow attacks or payload injections.

Understanding Responder:

Purpose: Responder is used to capture NTLMv2 hashes from a Windows network.

Operation: It listens on the network for LLMNR, NBT-NS, and MDNS requests and responds to them, tricking the client into authenticating with the attacker ' s machine.

Command Breakdown:

responder -I eth0: Starts Responder on the network interface eth0.

john responder_output.txt: Uses John the Ripper to crack the hashes captured by Responder.

< rdp to target > : Suggests the next step after capturing credentials might involve using RDP with the cracked password, but the initial capture is passive and low impact.

Why This is the Best Choice:

Least Impact: Responder passively captures network traffic without interacting directly with the target host’s system processes.

Stealth: It operates quietly on the network, making it less likely to cause stability issues or be detected by host-based security mechanisms.

References from Pentesting Literature:

Tools like Responder are discussed in penetration testing guides for initial reconnaissance and credential gathering without causing significant disruptions.

HTB write-ups frequently mention the use of Responder in network-based attacks to capture credentials safely.

Step-by-Step ExplanationReferences:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

======

The correct answer is B. Securely destroy or remove all engagement-related data from testing systems.

At the end of a penetration test, the tester must protect client confidentiality by securely handling all artifacts generated during the engagement. These artifacts may include screenshots, scan results, exploit output, credentials, hashes, reports, packet captures, copied files, logs, notes, and any other client-related evidence.

Securely destroying or removing engagement-related data from the tester’s systems is the best procedure for maintaining client data privacy because it reduces the risk of unauthorized disclosure after the engagement is complete.

A is incorrect because removing configuration changes and deployed tools is part of cleanup on client systems, but it does not fully address client data privacy on the tester’s own systems.

C is incorrect because searching configuration files for credentials is too narrow. Client-sensitive data can exist in many places, not only in configuration files.

D is incorrect because shutting down command-and-control or attacker infrastructure is part of post-engagement cleanup, but it does not directly ensure that client data collected during the test is securely removed.

In PenTest+ terms, this aligns with Reporting and Communication, especially post-engagement activities, evidence handling, data retention, secure disposal, and maintaining client confidentiality.

The correct answer is C. Session hijacking

The cookie value is only Base64 encoded, not encrypted or cryptographically protected. When decoded, it reveals a username and a numeric value:

Pentestuser:91536

After logging in again, the numeric value changes:

Pentestuser:91944

This strongly suggests the application may be storing a session identifier or authentication token in a predictable or weakly protected format. A penetration tester would most likely test whether the session value can be guessed, reused, modified, or replayed to take over another user’s session. That type of attack is session hijacking.

A is incorrect because a collision attack involves finding two different inputs that produce the same hash value. This scenario does not involve hash collision testing.

B is incorrect because JWT manipulation applies to JSON Web Tokens, which typically have three Base64URL-encoded sections separated by periods, such as header.payload.signature. The cookie shown is not a JWT.

D is incorrect because insecure direct object reference involves manipulating object identifiers, such as account IDs, invoice numbers, or file IDs, to access unauthorized resources. The issue here is related to authentication/session handling, not direct object access.

In PenTest+ terms, this falls under Attacks and Exploits, specifically web application attacks involving weak session management, predictable session tokens, and session hijacking.

From the Nmap results:

Service Analysis:

SSH (22): Secure Shell is a remote access protocol that is typically well-secured with encryption and authentication mechanisms. It’s not the easiest to exploit without valid credentials or known vulnerabilities.

SMTP (25): The port is filtered, which indicates that it might be blocked by a firewall, making it less accessible as an attack vector.

RPCBind (111): RPC services can sometimes expose vulnerabilities, but they are less common in modern systems.

NFS (2049): Network File System is a file-sharing service. Misconfigured NFS servers often expose sensitive files or directories that can be accessed without proper authentication.

Best Target:NFS (port 2049) is the most attractive target. Attackers can exploit insecure exports, gain unauthorized access to shared directories, or elevate privileges if the server allows root access over NFS.

CompTIA Pentest+ References:

Domain 2.0 (Information Gathering and Vulnerability Identification)

Domain 3.0 (Attacks and Exploits)

Lock picking techniques are used in physical security assessments to test access control mechanisms.

Raking (Option D):

Raking is a lock-picking technique where a rake pick is inserted and rapidly moved in and out to manipulate multiple pins simultaneously.

It is faster but less precise than single-pin picking.

Used when speed is prioritized over precision.

Given the output, the penetration tester should select the fileserver as the next target for testing, considering both CVSS and EPSS scores.

CVSS (Common Vulnerability Scoring System):

Purpose: CVSS provides a numerical score to represent the severity of vulnerabilities, helping to prioritize remediation efforts.

Higher Scores: Indicate more severe vulnerabilities.

EPSS (Exploit Prediction Scoring System):

Purpose: EPSS estimates the likelihood that a vulnerability will be exploited in the wild within the next 30 days.

Higher Scores: Indicate a higher likelihood of exploitation.

Evaluation:

hrdatabase: CVSS = 9.9, EPSS = 0.50

financesite: CVSS = 8.0, EPSS = 0.01

legaldatabase: CVSS = 8.2, EPSS = 0.60

fileserver: CVSS = 7.6, EPSS = 0.90

The fileserver has the highest EPSS score, indicating a high likelihood of exploitation, despite having a slightly lower CVSS score compared to hrdatabase and legaldatabase.

Pentest References:

Prioritization: Balancing between severity (CVSS) and exploitability (EPSS) is crucial for effective vulnerability management.

Risk Assessment: Evaluating both the impact and the likelihood of exploitation helps in making informed decisions about testing priorities.

By selecting the fileserver, which has a high EPSS score, the penetration tester focuses on a target that is more likely to be exploited, thereby addressing the most immediate risk.

======

The correct answer is D. Find the SYSVOL share for hashes with findstr /i and decrypt using the published key.

Group Policy Preferences previously allowed administrators to store local user passwords in Group Policy XML files inside the domain’s SYSVOL share. These passwords were stored as cpassword values. Although encrypted, Microsoft published the AES key used to decrypt them, which means anyone with domain access could potentially retrieve and decrypt those credentials.

Because SYSVOL is commonly readable by authenticated domain users, a compromised domain-joined endpoint can be used to search SYSVOL for Group Policy Preference XML files containing cpassword values. Once decrypted, these credentials may provide local administrator access across multiple domain-joined systems, making this a fast method for pivoting to production servers.

A is incorrect because scanning the domain controller for remote code execution is noisy, risky, and not the fastest or best approach when Group Policy Preferences already expose a known credential-recovery path.

B is incorrect because password spraying with Hydra is slower, noisier, and may trigger account lockouts or detection. The scenario points specifically to Group Policy Preferences, which suggests credential recovery from SYSVOL.

C is incorrect because BloodHound is useful for identifying Active Directory attack paths, but it is not the fastest option when exploitable Group Policy Preference credentials are already known to be present.

In PenTest+ terms, this falls under Attacks and Exploits, specifically Active Directory post-exploitation, credential discovery, Group Policy Preferences abuse, and lateral movement.