CompTIA PenTest+ PT0-003: Attacks and Exploits

Topic snapshot

Sample questions

These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.

Question 1

Topic: Attacks and Exploits

During an authorized test of a customer portal API, the rules of engagement allow only the provided test accounts and prohibit using employee credentials or accessing production customer records. Critical authentication or authorization issues must be escalated the same day.

Evidence:

Which action is the BEST professional decision?

Options:

• A. Report exposed credential and separate authorization misuse; escalate with test evidence.

• B. Report only the exposed token because test-account data has no business impact.

• C. Classify both observations as credential stuffing due to changed account identifiers.

• D. Use the exposed token to confirm production access, then report credential misuse.

Best answer: A

Explanation: Credential exposure evidence shows that a secret, password, token, or key is available where it should not be, such as a public repository. Permission misuse evidence shows that an authenticated identity can perform actions or access objects beyond its intended authorization. In this scenario, the service token in commit history should be reported as exposed credential material and recommended for revocation/rotation. The altered accountId request demonstrates an authorization flaw, such as broken object-level authorization, because the low-privilege test user accessed another test account’s data. The tester should escalate both using authorized test evidence and avoid using the exposed token against production.

• Production token use exceeds the rules of engagement because employee or service credentials may not be used to confirm access.
• Credential stuffing label is unsupported because there is no evidence of automated login attempts with reused credentials.
• Ignoring test-data access misses the authorization impact demonstrated safely within the assigned test accounts.

Question 2

Topic: Attacks and Exploits

A penetration tester is performing an authorized cloud identity review for a customer portal. Scope allows read-only configuration validation and attack-path reporting, but prohibits changing production functions or reading customer records.

Evidence:

Which is the BEST professional decision?

Options:

• A. Focus on service identity MFA as the primary issue

• B. Prioritize the role-chaining path to regulated data

• C. Modify a Lambda function to confirm data access

• D. Deprioritize because ci-runner lacks direct bucket access

Best answer: B

Explanation: The core issue is attack-path reasoning across identities and permissions. Even though ci-runner does not directly read the bucket, it can assume a deployment role that can pass a data-reading role while changing Lambda configuration. That creates a credible path from a build-system identity to regulated customer data. Because the rules of engagement prohibit production changes and reading records, the professional action is to report the high-confidence path with evidence and remediation priority, not to prove it by altering workloads. A strong remediation direction would include restricting iam:PassRole, separating deployment and data-access roles, and limiting which functions can receive sensitive roles.

• Unsafe validation fails because modifying production Lambda or reading records exceeds the stated authorization.
• Direct-access tunnel vision fails because chained permissions can create impact even without direct S3 permissions.
• MFA distraction fails because service identities commonly cannot use MFA, and the decisive risk is excessive role chaining.

Question 3

Topic: Attacks and Exploits

During an authorized test of a production customer portal, the tester observes that the login page returns different messages for valid and invalid usernames. The rules of engagement allow testing only with two provided test accounts, prohibit password spraying and account lockout risk, and require stakeholder notice before any activity that could affect real users. What is the BEST professional validation step?

Options:

• A. Attempt password resets for several real customer accounts

• B. Run a small password spray against likely employee usernames

• C. Compare responses using the provided test accounts and document the evidence

• D. Test breached credentials found in OSINT against the portal

Best answer: C

Explanation: A scope-safe validation step should increase confidence in the suspected authentication weakness while staying inside the rules of engagement. Here, the key evidence is different login behavior for valid versus invalid usernames, so the tester can validate the issue by comparing responses with the explicitly provided test accounts. That approach supports accurate reporting without password guessing, breached-credential use, lockout risk, or interaction with real customer accounts. The evidence should include sanitized requests, responses, timestamps, and the business impact of account enumeration. The main takeaway is to validate the weakness with the least intrusive authorized method that proves the finding.

• Password spraying violates the explicit prohibition and could create account lockout or monitoring impact.
• Breached credentials are not authorized test accounts and would exceed the stated target-use constraints.
• Real customer resets could affect users and require prior stakeholder notice under the rules of engagement.

Question 4

Topic: Attacks and Exploits

During an authorized internal assessment, a tester reviews a packet-capture summary from a user subnet. Which reporting conclusion is best supported by the evidence?

Exhibit: Capture summary

Scope note: Passive observation only; no credential use or packet modification.
Subnet: 10.20.5.0/24
Observed: Repeated ARP replies: "10.20.5.1 is-at 3c:52:82:44:10:ab"
Baseline: Gateway 10.20.5.1 normally maps to 00:1f:29:aa:7c:01
Switch lookup: 3c:52:82:44:10:ab on conference-room access port
Traffic seen: HTTP intranet requests; no session access or server changes observed

Options:

• A. Compromise of the intranet application server

• B. On-path risk to plaintext traffic and subnet availability

• C. Confirmed theft of domain credentials from the subnet

• D. Successful VLAN hopping into restricted networks

Best answer: B

Explanation: The evidence supports ARP spoofing or a similar on-path network condition: a non-gateway MAC address is repeatedly claiming the gateway IP. The likely business impact is exposure of plaintext internal traffic and possible disruption for users on that subnet. Because the tester only observed traffic passively and did not access sessions, modify packets, or validate credential capture, the report should avoid claiming confirmed credential theft or server compromise. Good penetration test reporting separates demonstrated evidence from plausible impact so stakeholders can act without overstating findings.

• Credential theft is not proven because HTTP requests were observed, but no credentials or authenticated session access were validated.
• VLAN hopping is unsupported because the exhibit shows activity on one subnet, not access to another VLAN.
• Server compromise is unsupported because no server-side change, shell access, or application takeover evidence is shown.

Question 5

Topic: Attacks and Exploits

During an authorized cloud assessment, a tester finds what appears to be an AWS access key in a client-owned private repository. The rules of engagement allow validation of discovered cloud credentials only with non-mutating identity checks and prohibit listing data, changing IAM policies, or attempting privilege escalation. Which validation action best fits these requirements?

Options:

• A. List storage buckets to prove the key has useful permissions

• B. Run a caller-identity check and record the account and principal

• C. Attempt privilege escalation to confirm business impact

• D. Attach a temporary read-only policy to enumerate permissions

Best answer: B

Explanation: Scope-safe cloud credential validation should prove only what the rules of engagement authorize. Here, the engagement allows non-mutating identity checks, so validating the credential by identifying the account and principal is appropriate evidence without accessing client data or altering the environment. This supports accurate reporting while minimizing legal, ethical, and operational risk.

Actions that enumerate storage contents, modify IAM, or test escalation go beyond the stated authorization. If more impact evidence is needed, the tester should request approval through the defined engagement channel before expanding validation.

• Data listing may show impact, but it violates the prohibition on accessing or enumerating client data.
• Policy changes are mutating IAM actions and are outside the allowed validation method.
• Privilege escalation creates unauthorized risk because the ROE explicitly forbids escalation attempts.

Question 6

Topic: Attacks and Exploits

During an authorized test of a customer-support AI chatbot, a tester demonstrates that instructions embedded in an untrusted knowledge-base comment can influence the model’s response and cause it to summarize internal-only ticket content for a low-privilege customer. The rules of engagement prohibit further extraction, and the business wants to keep retrieval-augmented support features. Which remediation is the BEST professional recommendation?

Options:

• A. Context-isolate retrieved content behind authorization-gated retrieval

• B. Lower the model temperature for support responses

• C. Log suspicious AI prompts for later analyst review

• D. Filter customer prompts for banned instruction phrases

Best answer: A

Explanation: The evidence points to indirect prompt injection against a retrieval-augmented generation workflow: untrusted retrieved content is being treated as instruction-like context, and sensitive ticket data is reaching a user who should not see it. The strongest remediation direction is context isolation with authorization-gated retrieval, so retrieved documents are handled as untrusted data and access controls are enforced before content is supplied to or returned by the model. This preserves the chatbot’s business purpose while reducing both instruction override and data-boundary failure risk. Input filters and monitoring can help, but they should not be the primary control for preventing unauthorized disclosure.

• Phrase filtering is brittle because attackers can reword instructions and the core trust-boundary problem remains.
• Temperature tuning changes response variability, not whether untrusted context can override instructions or expose data.
• Prompt logging supports detection and review, but it does not prevent unauthorized content from being retrieved or disclosed.

Question 7

Topic: Attacks and Exploits

During an authorized web app test, a tester suspects an authentication weakness after observing different login responses for valid-looking and invalid usernames. The rules of engagement allow validation only with client-provided test accounts, prohibit password spraying against employee accounts, and require avoiding account lockouts. What is the best validation step?

Options:

• A. Compare login responses using only provided test accounts

• B. Spray a common password across employee usernames

• C. Report the issue as confirmed without further evidence

• D. Run a brute-force attack until lockout occurs

Best answer: A

Explanation: A scope-safe validation step should confirm the suspected authentication weakness using authorized, low-risk evidence. Here, the suspected issue is username enumeration based on different login responses. Because the rules of engagement restrict testing to client-provided test accounts and prohibit password spraying against employees, the tester should compare responses only with those approved accounts and capture the behavioral difference. This supports a defensible finding without creating unauthorized account-abuse risk.

The key takeaway is to validate the weakness, not expand into credential attacks or create lockouts.

• Password spraying violates the rule against testing employee accounts and introduces account-abuse risk.
• Brute forcing creates lockout risk and exceeds the safe validation needed for response-difference evidence.
• Skipping validation may preserve safety, but it does not provide enough evidence to confirm the suspected weakness.

Question 8

Topic: Attacks and Exploits

A penetration tester is performing a retest after a web application finding was marked remediated. The rules of engagement allow non-destructive validation only against the same test account and endpoint.

Exhibit: Retest packet

Which retest focus would best verify the remediation?

Options:

• A. Confirm unauthorized path traversal is blocked on the fixed endpoint

• B. Review whether TLS uses a strong cipher suite

• C. Check that web server access logs are retained

• D. Run a full unauthenticated network vulnerability scan

Best answer: A

Explanation: A remediation retest should focus on the specific exploit path, impact, and affected component from the original finding. Here, the original issue was unauthorized file access through a download parameter, and the stated fix was path canonicalization plus an allowlist. The strongest retest is a controlled, non-destructive attempt to verify that the same endpoint no longer permits access outside the intended download set, using the authorized test account and avoiding production data exposure. A broad scan or unrelated configuration review may be useful elsewhere, but it does not prove that the exploit-related finding was fixed.

• Broad scanning is not focused enough to confirm the specific web exploit path was remediated.
• TLS review addresses transport security, not the file access flaw described in the finding.
• Log retention may support monitoring, but it does not validate that the exploit condition is blocked.

Question 9

Topic: Attacks and Exploits

During an authorized internal penetration test, a tester reviews host-based privilege escalation evidence from an in-scope Windows application server. The rules of engagement allow validation by configuration review only, and the server supports a revenue-critical application.

Evidence: A third-party update service runs as LocalSystem, starts automatically, and loads its executable from a directory where the local Users group has modify permissions. No missing OS security patches are reported.

Which remediation direction is the BEST professional recommendation?

Options:

• A. Restrict service directory permissions and use a least-privileged service account

• B. Disable the revenue-critical service until a replacement is deployed

• C. Prioritize operating system patching during the next maintenance window

• D. Perform live exploit validation to prove privilege escalation impact

Best answer: A

Explanation: The core issue is a host-based privilege escalation path caused by weak service hardening: a high-privilege service loads code from a location writable by low-privilege users. Because the service runs as LocalSystem, modifying what it loads could allow privilege escalation. The best remediation direction is to remove unnecessary write access and run the service with only the privileges it needs. This maps the observed evidence to hardening and least privilege without exceeding the rules of engagement or disrupting a critical business service. Patching is important when a missing update is the cause, but the stem says no missing OS security patches were reported.

• Patching focus fails because the evidence points to misconfigured permissions, not an unpatched operating system vulnerability.
• Service shutdown is too disruptive for a revenue-critical application when targeted hardening addresses the risk.
• Live exploitation exceeds the stated validation limit because the rules allow configuration review only.

Question 10

Topic: Attacks and Exploits

A penetration tester is correlating findings from an authorized cloud application assessment. Which reporting conclusion is best supported by the exhibit?

Exhibit: Attack-path summary

Options:

• A. SSRF increases impact by enabling access to role-backed sensitive storage

• B. SSRF impact is limited because data extraction is not authorized

• C. The bucket finding reduces impact because reports are not credentials

• D. The IAM issue is unrelated because it affects only cloud configuration

Best answer: A

Explanation: Attack-path reasoning explains how separate weaknesses combine into greater business impact. Here, the SSRF is not just a web input-handling issue: it may allow the application to make internal cloud requests from a trusted instance. Because that same instance has an overly permissive role with read access to a sensitive reports bucket, the combined path supports a higher-impact conclusion: potential unauthorized access to customer report data. The tester should report the chained risk without extracting data if the rules of engagement prohibit it.

The key takeaway is to connect the web weakness, identity permission, and sensitive data exposure into one evidence-supported attack path.

• Authorization limit affects what the tester may do, not the severity of the potential impact supported by evidence.
• Cloud separation is a misconception because identity permissions can amplify a web application flaw.
• Noncredential data can still be sensitive business or customer data and can increase impact.

Continue with full practice

Use the CompTIA PenTest+ PT0-003 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Try CompTIA PenTest+ PT0-003 on Web View CompTIA PenTest+ PT0-003 Practice Test

Related focused pages

• Free CompTIA PenTest+ PT0-003 Full-Length Practice Exam
• Engagement Management
• Reconnaissance and Enumeration
• Vulnerability Discovery and Analysis
• Post-Exploitation and Lateral Movement

Free review resource

Read the CompTIA PenTest+ PT0-003 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.