During an engagement, a penetration tester was able to upload to a server a PHP file with the following content:
 
Which of the following commands should the penetration tester run to successfully achieve RCE?

A. python3 -c “import requests;print(requests.post(url-‘http://172.16.200.10/uploads/shell.php’,data={‘cmd=id’}))”

B. python3 -c “import requests;print(requests.post(url-‘http://172.16.200.10/uploads/shell.php’,data={‘cmd’: ‘id’}).text)”

C. python3 -c “import requests;print(requests.get(url-‘http://172.16.200.10/uploads/shell.php’,params={‘cmd’: ‘id’}))”

D. python3 -c “import requests;print(requests.get(url-‘http://172.16.200.10/uploads/shell.php’,params={‘cmd’: ‘id’}).test)”

Penetration tester has discovered an unknown Linux 64-bit executable binary. Which of the following tools would be BEST to use to analyze this issue?

A. Peach

B. WinDbg

C. GDB

D. OllyDbg

A penetration tester runs the following command:
dig @ dns01.comptia.local axfr comptia.local
If successful, which of the following types of information would be provided?

A. The DNSSEC certificate and CA

B. The DHCP scopes and ranges used on the network

C. The hostnames and IP addresses of internal systems

D. The OS and version of the DNS server

The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine?

A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt

B. nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d “” -f5 > live-hosts.txt

C. nmap -Pn -sV -O -iL target.txt -oA target_text_Service

D. nmap -sS -Pn -n -iL target.txt -oA target_txtl

A penetration tester uncovers access keys within an organization's source code management solution. Which of the following would BEST address the issue? (Choose two.)

A. Setting up a secret management solution for all items in the source code management system

B. Implementing role-based access control on the source code management system

C. Configuring multifactor authentication on the source code management system

D. Leveraging a solution to scan for other similar instances in the source code management system

E. Developing a secure software development life cycle process for committing code to the source code management system

F. Creating a trigger that will prevent developers from including passwords in the source code management system

A penetration tester has been hired to examine a website for flaws. During one of the time windows for testing, a network engineer notices a flood of GET requests to the web server, reducing the website’s response time by 80%. The network engineer contacts the penetration tester to determine if these GET requests are part of the test. Which of the following BEST describes the purpose of checking with the penetration tester?

A. Situational awareness

B. Rescheduling

C. DDoS defense

D. Deconfliction

A penetration tester is reviewing the security of a web application running in an IaaS compute instance. Which of the following payloads should the tester send to get the running process credentials?

A. file=http://192.168.1.78?+document.cookie

B. file=../../../proc/self/environ

C. file=’%20or%2054365=54365;––

D. file=http://169.254.169.254/latest/meta-data/

Which of the following is the MOST secure method for sending the penetration test report to the client?

A. Host it on an online storage system.

B. Put it inside a password-protected ZIP file.

C. Transfer it via webmail using an HTTPS connection.

D. Use the client’s public key.

Given the following Bash code snippet:
 
Which of the following would be achieved?

A. User enumeration

B. Directory brute-force attack

C. Port scan

D. File download

A penetration tester has been given eight business hours to gain access to a client's financial system.
Which of the following techniques will have the HIGHEST likelihood of success?

A. Attempting to tailgate an employee who is going into the client’s workplace

B. Dropping a malicious USB key with the company’s logo in the parking lot

C. Using a brute-force attack against the external perimeter to gain a foothold

D. Performing spear phishing against employees by posing as senior management

A company has recruited a penetration tester to conduct a vulnerability scan over the network. The test is confirmed to be on a known environment. Which of the following would be the BEST option to identify a system properly prior to performing the assessment?

A. Asset inventory

B. DNS records

C. Web-application scan

D. Full scan

A penetration tester is conducting an unknown environment test and gathering additional information that can be used for later stages of an assessment.
Which of the following would most likely produce useful information for additional testing?

A. Public code repositories associated with a developer who previously worked for the target company

B. Public code repositories associated with the target company’s organization

C. Private code repositories associated with the target company’s organization

D. Private code repositories associated with a developer who previously worked for the target company

A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to:
✑ Have a full TCP connection
✑ Send a `hello` payload
✑ Wait for a response
✑ Send a string of characters longer than 16 bytes
Which of the following approaches would BEST support the objective?

A. Run nmap -Pn -sV –script vuln .

B. Employ an OpenVAS simple scan against the TCP port of the host.

C. Create a script in the Lua language and use it with NSE.

D. Perform a credentialed scan with Nessus.

A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the following would have MOST effectively prevented this misunderstanding?

A. Prohibiting exploitation in the production environment

B. Requiring all testers to review the scoping document carefully

C. Never assessing the production networks

D. Prohibiting testers from joining the team during the assessment

A consultant is reviewing the following output after reports of intermittent connectivity issues:
 
Which of the following is MOST likely to be reported by the consultant?

A. A device on the network has an IP address in the wrong subnet.

B. A multicast session was initiated using the wrong multicast group.

C. An ARP flooding attack is using the broadcast address to perform DDoS.

D. A device on the network has poisoned the ARP cache.

A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose?

A. Hashcat

B. Mimikatz

C. Patator

D. John the Ripper

A company requires that all hypervisors have the latest available patches installed. Which of the following would BEST explain the reason why this policy is in place?

A. To provide protection against host OS vulnerabilities

B. To reduce the probability of a VM escape attack

C. To fix any misconfigurations of the hypervisor

D. To enable all features of the hypervisor

A penetration tester wrote the following comment in the final report: "Eighty-five percent of the systems tested were found to be prone to unauthorized access from the internet."
Which of the following audiences was this message intended?

A. Systems administrators

B. C-suite executives

C. Data privacy ombudsman

D. Regulatory officials

A penetration tester successfully performed an exploit on a host and was able to hop from VLAN 100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the penetration tester now wants the local interface of the attacker machine to have a static ARP entry in the local cache. The attacker machine has the following:
IP Address: 192.168.1.63 -
Physical Address: 60-36-dd-a6-c5-33
Which of the following commands would the penetration tester MOST likely use in order to establish a static ARP entry successfully?

A. tcpdump -i eth01 arp and arp[6:2] == 2

B. arp -s 192.168.1.63 60-36-DD-A6-C5-33

C. ipconfig /all findstr /v 00-00-00 | findstr Physical

D. route add 192.168.1.63 mask 255.255.255.255.0 192.168.1.1

During an assessment, a penetration tester obtains a list of password digests using Responder. Which of the following tools would the penetration tester most likely use next?

A. Hashcat

B. Hydra

C. CeWL

D. Medusa

A penetration tester is testing a company's public APIs. In researching the API URLs, the penetration tester discovers that the URLs resolve to a cloud-hosted WAF service that is blocking the penetration tester's attack attempts. Which of the following should the tester do to best ensure the attacks will be more successful?

A. Increase the volume of attacks to enable more to possibly slip through.

B. Vary the use of upper and lower case characters in payloads to fool the WAF.

C. Use multiple source IP addresses for the attack traffic to prevent being blocked.

D. Locate the company’s servers that are hosting the API and send the traffic there.

During enumeration, a red team discovered that an external web server was frequented by employees. After compromising the server, which of the following attacks would BEST support compromising company systems?

A. A side-channel attack

B. A command injection attack

C. A watering-hole attack

D. A cross-site scripting attack

A penetration tester uncovered a flaw in an online banking web application that allows arbitrary requests to other internal network assets through a server-side request forgery. Which of the following would BEST reduce the risk of attack?

A. Implement multifactor authentication on the web application to prevent unauthorized access of the application.

B. Configure a secret management solution to ensure attackers are not able to gain access to confidential information.

C. Ensure a patch management system is in place to ensure the web server system is hardened.

D. Sanitize and validate all input within the web application to prevent internal resources from being accessed.

E. Ensure that enhanced logging is enabled on the web application to detect the attack.

A physical penetration tester needs to get inside an organization's office and collect sensitive information without acting suspiciously or being noticed by the security guards. The tester has observed that the company's ticket gate does not scan the badges, and employees leave their badges on the table while going to the restroom. Which of the following techniques can the tester use to gain physical access to the office? (Choose two.)

A. Shoulder surfing

B. Call spoofing

C. Badge stealing

D. Tailgating

E. Dumpster diving

F. Email phishing

A penetration tester captured the following traffic during a web-application test:
 
Which of the following methods should the tester use to visualize the authorization information being transmitted?

A. Decode the authorization header using UTF-8.

B. Decrypt the authorization header using bcrypt.

C. Decode the authorization header using Base64.

D. Decrypt the authorization header using AES.

While performing the scanning phase of a penetration test, the penetration tester runs the following command:
nmap -n -vv -sV -p- 10.10.10.23-28
After the Nmap scan is finished, the penetration tester notices all hosts seem to be down. Which of the following options should the penetration tester try NEXT?

A. -sU

B. -Pn

C. -sn

D. -sS

A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?

A. Gain access to the target host and implant malware specially crafted for this purpose.

B. Exploit the local DNS server and add/update the zone records with a spoofed A record.

C. Use the Scapy utility to overwrite name resolution fields in the DNS query response.

D. Proxy HTTP connections from the target host to that of the spoofed host.

Which of the following concepts defines the specific set of steps and approaches that are conducted during a penetration test?

A. Scope details

B. Findings

C. Methodology

D. Statement of work

Which of the following tools would help a penetration tester locate a file that was uploaded to a content management system?

A. DirBuster

B. Open VAS

C. Scout Suite

D. CeWL

A penetration tester is performing an assessment against a customer’s web application that is hosted in a major cloud provider’s environment. The penetration tester observes that the majority of the attacks attempted are being blocked by the organization’s WAF. Which of the following attacks would be most likely to succeed?

A. Reflected XSS

B. Brute-force

C. DDoS

D. Direct-to-origin

Which of the following factors would a penetration tester MOST likely consider when testing at a location?

A. Determine if visas are required.

B. Ensure all testers can access all sites.

C. Verify the tools being used are legal for use at all sites.

D. Establish the time of the day when a test can occur.

Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.)

A. OWASP ZAP

B. Nmap

C. Nessus

D. BeEF

E. Hydra

F. Burp Suite

A penetration tester who is performing an engagement notices a specific host is vulnerable to EternalBlue. Which of the following would BEST protect against this vulnerability?

A. Network segmentation

B. Key rotation

C. Encrypted passwords

D. Patch management

A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment?

A. A signed statement of work

B. The correct user accounts and associated passwords

C. The expected time frame of the assessment

D. The proper emergency contacts for the client

A penetration tester is scanning a corporate lab network for potentially vulnerable services.
Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?

A. nmap 192.168.1.1-5 -PU22-25,80

B. nmap 192.168.1.1-5 -PA22-25,80

C. nmap 192.168.1.1-5 -PS22-25,80

D. nmap 192.168.1.1-5 -Ss22-25,80

A penetration tester who is performing a physical assessment has achieved physical access to a call center for the assessed company. The tester is able to move freely around the room.
Which of the following attack types is most likely to result in the tester obtaining personal or confidential information quickly?

A. Dumpster diving

B. Warwalking

C. Vishing

D. Smishing

E. Shoulder surfing

A penetration tester discovered a vulnerability that provides the ability to upload to a path via discovery traversal. Some of the files that were discovered through this vulnerability are:
 
Which of the following is the BEST method to help an attacker gain internal access to the affected machine?

A. Edit the discovered file with one line of code for remote callback.

B. Download .pl files and look for usernames and passwords.

C. Edit the smb.conf file and upload it to the server.

D. Download the smb.conf file and look at configurations.

A penetration tester wrote the following script on a compromised system:
 
Which of the following would explain using this script instead of another tool?

A. The typical tools could not be used against Windows systems.

B. The configuration required the penetration tester to not utilize additional files.

C. The Bash script will provide more thorough output.

D. The penetration tester wanted to persist this script to run on reboot.

During an assessment, a penetration tester found a suspicious script that could indicate a prior compromise. While reading the script, the penetration tester noticed the following lines of code:
 
Which of the following was the script author trying to do?

A. Spawn a local shell.

B. Disable NIC.

C. List processes.

D. Change the MAC address.

Given the following script:
 
Which of the following BEST characterizes the function performed by lines 5 and 6?

A. Retrieves the start-of-authority information for the zone on DNS server 10.10.10.10

B. Performs a single DNS query for www.comptia.org and prints the raw data output

C. Loops through variable b to count the results returned for the DNS query and prints that count to screen

D. Prints each DNS query result already stored in variable b

HOTSPOT -
You are a security analyst tasked with hardening a web server. You have been given a list of HTTP payloads that were flagged as malicious.
INSTRUCTION -
Giving the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:
 

A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.)

A. Spawned shells

B. Created user accounts

C. Server logs

D. Administrator accounts

E. Reboot system

F. ARP cache

A penetration tester was conducting a penetration test and discovered the network traffic was no longer reaching the client's IP address. The tester later discovered the SOC had used sinkholing on the penetration tester's IP address.
Which of the following MOST likely describes what happened?

A. The penetration tester was testing the wrong assets.

B. The planning process failed to ensure all teams were notified.

C. The client was not ready for the assessment to start.

D. The penetration tester had incorrect contact information.

Which of the following tools should a penetration tester use to crawl a website and build a wordlist using the data recovered to crack the password on the website?

A. DirBuster

B. CeWL

C. w3af

D. Patator

A penetration tester runs the unshadow command on a machine.
Which of the following tools will the tester most likely use NEXT?

A. John the Ripper

B. Hydra

C. Mimikatz

D. Cain and Abel

A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a Linux server and discovers the following data in a file named password.txt in the /home/svsacct directory:
U3VQZXIkM2NyZXQhCg==
Which of the following commands should the tester use NEXT to decode the contents of the file?

A. echo U3VQZXIkM2NyZXQhCg== | base64 ג€”d

B. tar zxvf password.txt

C. hydra ג€”l svsacct ג€”p U3VQZXIkM2NyZXQhCg== ssh://192.168.1.0/24

D. john –wordlist /usr/share/seclists/rockyou.txt password.txt

A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability. Which of the following should the penetration tester consider BEFORE running a scan?

A. The timing of the scan

B. The bandwidth limitations

C. The inventory of assets and versions

D. The type of scan

User credentials were captured from a database during an assessment and cracked using rainbow tables. Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database?

A. MD5

B. bcrypt

C. SHA-1

D. PBKDF2

Which of the following documents describes activities that are prohibited during a scheduled penetration test?

A. MSA

B. NDA

C. ROE

D. SLA

A security engineer is trying to bypass a network IPS that isolates the source when the scan exceeds 100 packets per minute. The scope of the san is to identify web servers in the 10.0.0.0/16 subnet. Which of the following commands should the engineer use to achieve the objective in the least amount of time?

A. nmap –T3 –p 80 10.0.0.0/16 ––max-hostgroup 100

B. nmap –T0 –p 80 10.0.0.0/16

C. nmap –T4 –p 80 10.0.0.0/16 ––max-rate 60

D. nmap –T5 –p 80 10.0.0.0/16 ––min-rate 80