Try 90 free CompTIA PenTest+ PT0-003 questions across the exam domains, with explanations, then continue with full IT Mastery practice.
This free full-length CompTIA PenTest+ PT0-003 practice exam includes 90 original IT Mastery questions across the exam domains.
Use these questions for self-assessment, scope review, and deciding what to drill next.
Count note: this page uses the full-length practice count maintained in the Mastery exam catalog. Some certification vendors publish total questions, scored questions, duration, or unscored/pretest-item rules differently; always confirm exam-day rules with the sponsor.
Need concept review first? Read the CompTIA PenTest+ PT0-003 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA PenTest+ PT0-003 on Web View full CompTIA PenTest+ PT0-003 practice page
| Domain | Weight |
|---|---|
| Engagement Management | 13% |
| Reconnaissance and Enumeration | 21% |
| Vulnerability Discovery and Analysis | 17% |
| Attacks and Exploits | 35% |
| Post-Exploitation and Lateral Movement | 14% |
Use this as one diagnostic run. IT Mastery gives you timed mocks, topic drills, analytics, code-reading practice where relevant, and full practice.
Topic: Reconnaissance and Enumeration
During an authorized external penetration test, the rules of engagement list only www.examplecorp.com and api.examplecorp.com as in-scope targets. Passive DNS review shows api.examplecorp.com has a recent CNAME to api-blue.examplecorp.net, and certificate transparency logs show the same business unit name on that alias. The testing window starts tonight, and the client requires written approval before adding targets. What is the BEST next reconnaissance action?
Options:
A. Ignore the alias because it is on another domain
B. Test the alias only with low-rate HTTP requests
C. Port-scan the alias during the approved window
D. Document the alias and request scope confirmation
Best answer: D
Explanation: When reconnaissance reveals additional assets, aliases, or infrastructure that may belong to the client, the professional next step is to preserve the evidence and confirm whether the asset is authorized for testing. A CNAME and certificate transparency evidence suggest the alias may be related, but the rules of engagement explicitly limit scope and require written approval for additions. Passive collection and documentation stay within safe reconnaissance boundaries; active probing should not begin until scope is updated or the client confirms authorization. The key distinction is relevance versus authorization: likely ownership does not automatically make a target in scope.
Topic: Attacks and Exploits
During an authorized internal segmentation test, the client asks you to report only evidence that supports VLAN hopping risk without sending exploit traffic. You review the following switch and capture notes for a user-access jack. Which observation should be reported as the strongest VLAN hopping evidence?
| Evidence | Observation |
|---|---|
| Port role | User-facing conference room jack |
| Port mode | Dynamic trunk negotiation enabled |
| Capture | DTP frames observed on the port |
| Trunk result | Negotiated trunk permits VLAN 10 and restricted VLAN 30 |
Options:
A. Inter-VLAN ACLs block file-sharing traffic
B. STP is enabled on the access switch
C. The user host can reach its own default gateway
D. Dynamic trunking on a user port permits the restricted VLAN
Best answer: D
Explanation: VLAN hopping evidence usually comes from trunking or segmentation facts showing that a non-trunk endpoint can gain access to VLANs it should not reach. In this scenario, the decisive facts are that a user-facing port has dynamic trunk negotiation enabled, DTP frames are visible, and the negotiated trunk permits a restricted VLAN. That combination supports a switch-spoofing VLAN hopping finding without requiring exploit traffic. Normal gateway reachability, blocked inter-VLAN traffic, and STP being enabled do not show that an access port can carry unauthorized VLAN tags.
Topic: Attacks and Exploits
During an authorized web application test, the rules of engagement allow testing only two provided test accounts and prohibit disruptive testing or access to production customer records. While logged in as TestUserA, a tester changes an accountId value in a profile preferences request to TestUserB’s ID. The application returns 200 OK, and TestUserB’s recovery email is changed. No records are displayed, and no server-side commands are executed.
Which professional decision is BEST?
Options:
A. Report code execution and validate operating system command execution.
B. Report service disruption and stress-test the affected endpoint.
C. Report data exposure and enumerate additional customer records.
D. Report unauthorized account action from broken object-level authorization.
Best answer: D
Explanation: The observed impact is an unauthorized account action, not data exposure, code execution, or service disruption. The decisive evidence is that TestUserA successfully changed TestUserB’s recovery email by modifying an object identifier. Because no customer data was displayed, no commands ran, and no availability impact occurred, the report should describe broken object-level authorization with a state-changing impact. The tester should stay within the provided test accounts and avoid expanding into production records or disruptive testing. The remediation focus is enforcing server-side authorization checks for each object-level action.
Topic: Vulnerability Discovery and Analysis
During an internal vulnerability assessment, the tester compares the approved scope with the completed scan summary.
Exhibit:
| Source | Detail |
|---|---|
| Rules of engagement | Assess 10.20.10.0/24, 10.20.30.0/24, and 10.20.40.0/24 |
| Asset inventory | 10.20.30.0/24 contains 12 OT controllers |
| Scan summary | 10.20.10.0/24: 96 hosts tested; 10.20.40.0/24: 20 hosts tested |
| Scanner log | No route to 10.20.30.0/24 from scan engine |
Which interpretation is best supported by the exhibit?
Options:
A. The asset inventory is incomplete for the tested subnets
B. An in-scope subnet was inaccessible and remains unassessed
C. The scanner produced false positives for OT services
D. The scan exceeded the authorized network scope
Best answer: B
Explanation: This is a scan coverage gap caused by an inaccessible network segment. The rules of engagement explicitly include 10.20.30.0/24, and the asset inventory says that subnet contains 12 OT controllers. However, the scan summary shows no tested hosts for that subnet, and the scanner log states there is no route from the scan engine. That means the assessment results cannot support conclusions about vulnerabilities on those OT assets until connectivity, routing, or scanner placement is corrected and the subnet is rescanned. The key reporting point is not exploitability or severity; it is that part of the approved scope was not assessed.
Topic: Reconnaissance and Enumeration
During an external reconnaissance phase, a tester is authorized to review public documentation and perform non-intrusive API enumeration against api.example.com. No credentials are provided, and the rules of engagement prohibit data-changing requests.
Exhibit: API discovery notes
GET /openapi.json -> 200 OK
Spec version: 2.3.1
Paths observed:
/v1/accounts security: none, deprecated: true
/v2/customers/{id} security: bearerAuth
/internal/admin/users security: bearerAuth, x-internal: true
Developer portal still links to /v1/accounts as "legacy mobile API"
What is the BEST professional decision?
Options:
A. Run authenticated attacks against bearerAuth endpoints to confirm impact
B. Document the exposure and request scope clarification before deeper validation
C. Ask operations to disable /v1/accounts before the report
D. Ignore the internal path because the spec requires bearerAuth
Best answer: B
Explanation: API discovery evidence can reveal exposure even before exploitation. A publicly reachable OpenAPI file may disclose endpoint names, version clues, expected authentication, and documentation inconsistencies. Here, /v1/accounts is both deprecated and listed with no security requirement, while /internal/admin/users is labeled internal but appears in a public spec. Because the tester has no credentials and is limited to non-intrusive enumeration, the best action is to preserve evidence, report the documentation and exposure concerns, and ask the client to confirm whether deeper validation is authorized. The key is to improve finding confidence without exceeding the rules of engagement.
Topic: Attacks and Exploits
During an authorized web application test, a product search parameter shows SQL injection behavior in the staging environment. In production, a WAF blocks the same benign validation strings, and the rules of engagement prohibit WAF bypass attempts or destructive database actions. The application team asks whether the finding can be closed because production traffic is filtered. What is the BEST professional decision?
Options:
A. Report residual risk and recommend code-level remediation
B. Run destructive SQL actions in staging for impact proof
C. Attempt WAF evasion to prove production exploitability
D. Close the finding as remediated by the WAF
Best answer: A
Explanation: A compensating control can reduce likelihood or exposure without eliminating the underlying vulnerability. Here, staging evidence supports that the application logic is injectable, while the production WAF only blocks observed validation attempts. Because the rules of engagement prohibit bypass attempts and destructive database actions, the professional decision is to report the residual risk, clearly note the WAF as a mitigating control, and recommend fixing the vulnerable code path. The finding should not be closed solely because a perimeter control currently filters the tested input.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, the rules of engagement allow post-exploitation evidence review but prohibit new lateral movement attempts without written approval. The tester finds the following evidence:
DC log: CORP\svc_backup successful network logon to WS-17, then WS-23
Source host: WS-09
Time span: 4 minutes
Endpoint logs: ADMIN$ share accessed on WS-17 and WS-23 from WS-09
Endpoint logs: temporary remote service created on WS-17 and WS-23
Which approach best maps to these requirements?
Options:
A. Classify the events as routine vulnerability scanning
B. Run credential spraying from WS-09 to confirm reuse
C. Correlate the events as likely SMB-based lateral movement
D. Dump credentials from WS-09 to prove compromise
Best answer: C
Explanation: Lateral movement indicators often appear as correlated authentication and remote administration evidence, not as a single log entry. In this case, one privileged account successfully authenticates from one host to multiple workstations in a short window, accesses ADMIN$ shares, and creates temporary remote services. That pattern is consistent with SMB-based remote execution or administrative lateral movement. Because the rules of engagement prohibit new lateral movement attempts, the safest valid approach is to document the correlation, preserve the evidence, and request approval before performing any additional validation that could expand access.
Topic: Attacks and Exploits
During an authorized web application test, a tester evaluates whether an export endpoint enforces object-level authorization. The rules of engagement allow non-destructive validation only and require stopping if another customer’s data is exposed.
Exhibit: Test evidence
| Test | Result | Evidence |
|---|---|---|
| Own invoice export | 200 OK | Returned tester-owned invoice |
Other invoice by invoiceId | 403 Forbidden | App log: owner check denied |
Other invoice by documentId | 200 OK | Returned other customer name and invoice total |
What is the best reporting conclusion?
Options:
A. Continue testing with more customer records to prove impact.
B. Record the test as failed because one request returned 403.
C. Report only a WAF tuning issue for allowed traffic.
D. Report an object-level authorization bypass risk.
Best answer: D
Explanation: A failed test attempt means the control prevented the action and no protected result was obtained. Here, one path correctly denied access, but the alternate parameter returned another customer’s data. That is evidence of a control bypass, likely broken object-level authorization or IDOR, not merely a blocked or inconclusive attempt. Because the rules of engagement require stopping when other customer data appears, the tester should preserve minimal evidence and report the exposure without expanding access to additional records.
The key distinction is outcome-based: blocked request plus no data suggests failure; alternate path plus unauthorized data suggests bypass risk.
Topic: Post-Exploitation and Lateral Movement
During an authorized post-exploitation review of an in-scope production web server, a tester finds a configuration file readable by the application service account. The file contains a cloud API token with write access to all storage buckets and no expiration. The rules of engagement prohibit using recovered credentials to access customer data, and the business requires no application downtime. Which remediation direction is the BEST professional recommendation?
Options:
A. Delay remediation until the application can be fully rewritten
B. Use the token to verify access to customer storage objects
C. Restrict the file permissions but keep the same token active
D. Rotate the token and move to least-privileged, short-lived secret management
Best answer: D
Explanation: Credential findings after access should be handled by reducing exposure and blast radius, not by expanding use of the credential. The evidence already supports a high-confidence finding: a readable file contains a long-lived token with broad write permissions. The professional remediation direction is to rotate the exposed token, remove static storage where possible, use a managed secret or identity mechanism, enforce least privilege, and prefer short-lived credentials. This respects the ROE because it does not require accessing customer data with the recovered token, and it supports business continuity because these controls can usually be staged without taking the application offline. File permissions help, but they do not fix the already-exposed token or excessive scope.
Topic: Attacks and Exploits
During an authorized internal penetration test, several users on one VLAN report new HTTPS certificate warnings. The tester reviews a short packet capture and host state from an affected workstation.
Exhibit:
Expected default gateway: 10.30.8.1 -> 00:25:90:ab:10:01
Observed ARP cache: 10.30.8.1 -> 7c:8b:ca:44:19:02
Capture notes: repeated unsolicited ARP replies for 10.30.8.1
TLS to payroll.internal: issuer changed to "Local Proxy Root"
Proxy settings: no approved proxy configured on the workstation
Which interpretation is best supported by the exhibit?
Options:
A. DNS cache poisoning against the payroll hostname
B. On-path interception using address-resolution manipulation
C. Server-side certificate expiration on payroll.internal
D. Normal enterprise TLS inspection by an approved proxy
Best answer: B
Explanation: The evidence points to an on-path attack, most likely enabled by ARP spoofing or poisoning on the local network. The workstation believes the default gateway IP belongs to a different MAC address than expected, and the capture shows repeated unsolicited ARP replies advertising that mapping. That can redirect traffic through an attacker-controlled system. The changed TLS issuer and lack of an approved proxy configuration further support interception rather than a normal enterprise proxy. The strongest reporting conclusion is that traffic flow and certificate evidence are consistent with on-path interception, not merely a certificate problem on the destination server.
Topic: Attacks and Exploits
During an authorized penetration test, you review the identity provider configuration and recent sign-in telemetry for an internet-facing customer portal. Which reporting conclusion is best supported by the exhibit?
Exhibit: Authentication evidence
Portal: accounts.example.com
MFA: optional for standard users; required for admins
Password policy: minimum 8 characters; no breached-password check
Account lockout: disabled; throttling set to log only
Last 7 days: 1,842 failed logins across 96 users
Successful logins from tested source ranges: none observed
Help desk tickets for account takeover: none
Options:
A. Administrative MFA fully mitigates the risk.
B. Weak authentication controls increase credential-attack risk.
C. Confirmed account compromise occurred.
D. No authentication finding should be reported.
Best answer: B
Explanation: A penetration test finding can be valid when weak authentication controls create a credible risk, even without proof that an account was compromised. The exhibit shows high failed-login volume across many users, optional MFA for standard users, no breached-password screening, and lockout disabled with logging only. Those facts support reporting elevated exposure to password spraying or credential stuffing attempts. The conclusion should avoid overstating impact: there is no observed successful login or help desk evidence of takeover, so account compromise is not confirmed. The strongest report wording ties the risk to the demonstrated control weakness and attack pattern, then recommends stronger MFA enforcement, throttling or lockout controls, and compromised-password protections.
Topic: Engagement Management
A penetration tester is writing a report finding after an authorized web application test. The client requires each finding to include evidence, the affected asset, risk, business impact, and remediation direction. Which finding wording best meets the requirement?
Options:
A. Developers should implement better access controls and perform secure code reviews for all customer-facing applications.
B. The application has an insecure direct object reference vulnerability that should be fixed as soon as possible because it may expose sensitive data.
C. During testing, the team confirmed that changing a request parameter returned records that did not belong to the test account.
D. app01.example.com returned other users’ order records when the customerId value was changed in an authenticated request; this insecure direct object reference could expose customer data and violate privacy obligations, so enforce object-level authorization checks on every order lookup.
Best answer: D
Explanation: A strong penetration test finding should be specific enough for both technical and business readers to understand what was observed, where it was observed, why it matters, and how to begin fixing it. The best wording identifies the affected asset, gives concise evidence from the test, names the risk, explains the potential business impact, and provides remediation direction that maps to the weakness. Generic severity language or broad advice is not enough because it does not support validation, ownership, or remediation planning.
Topic: Reconnaissance and Enumeration
A penetration tester is reviewing a short script before running it for reconnaissance. The rules of engagement allow active probing only during the approved window and only against customer-owned hostnames in targets.txt; third-party services and authentication attempts are out of scope. The stakeholder asks what the script does and when it should be used.
import socket, requests
for line in open("targets.txt"):
host = line.strip()
ip = socket.gethostbyname(host)
r = requests.head(f"https://{host}", timeout=3, allow_redirects=True)
print(host, ip, r.status_code, r.headers.get("Server", ""))
Which professional decision is BEST?
Options:
A. Run it only in the active window against approved hostnames to inventory HTTPS responsiveness and headers.
B. Run it immediately because it performs only passive OSINT collection.
C. Run it against all discovered hostnames to identify shadow IT quickly.
D. Modify it to test default credentials on responsive hosts.
Best answer: A
Explanation: The script’s visible behavior shows its purpose: it reads hostnames, resolves each one to an IP address, sends an HTTPS HEAD request, and prints basic response evidence such as status code and the Server header. That makes it active reconnaissance, not passive OSINT, because it generates DNS and HTTPS traffic to the targets. The professional choice is to use it only when the rules of engagement allow active probing and only for the approved customer-owned hostnames. The script does not perform authentication testing or vulnerability exploitation, so expanding it into credential checks would exceed the stated authorization.
Topic: Post-Exploitation and Lateral Movement
A penetration test is ending after an authorized internal assessment. The tester removed approved test accounts and temporary files, retained screenshots and logs in the agreed evidence repository, and completed a retest that confirmed the critical web finding is fixed. One medium-risk segmentation issue could not be retested because the maintenance window closed. Which closure statement is the BEST to send to the client?
Options:
A. Testing is complete; evidence will be deleted to reduce client exposure.
B. The segmentation issue should be marked remediated until the next annual test.
C. Cleanup is complete; evidence is preserved; the critical fix passed retest; the segmentation issue remains pending retest.
D. All findings are closed because cleanup is complete and the critical vulnerability was fixed.
Best answer: C
Explanation: Professional closure wording should be accurate, evidence-based, and bounded by what the team actually verified. In this scenario, the tester can close out cleanup activities, confirm evidence was preserved according to the engagement agreement, and state that the critical web finding passed retest. The medium-risk segmentation issue should not be described as fixed or closed because it was not retested before the maintenance window ended. The best closure statement separates confirmed results from remaining limitations so the client understands residual risk and any follow-up retest need.
Topic: Engagement Management
During an authorized web application penetration test, you confirm that a payment callback endpoint accepts unsigned status updates. The endpoint is owned by the client’s application team, but the payment workflow also depends on a third-party processor and a managed WAF provider. The rules of engagement require all provider contact to go through the client sponsor, and the finding could affect order processing if changed incorrectly. What is the BEST professional decision?
Options:
A. Ask the WAF provider to block the callback endpoint immediately
B. Report only to the application team because it owns the endpoint
C. Contact the payment processor directly to speed remediation
D. Notify the client sponsor with evidence and request coordinated triage
Best answer: D
Explanation: Stakeholder communication discipline is critical when a finding spans internal teams and third-party providers. The tester should not bypass the agreed communication path, especially when the rules of engagement require provider contact through the client sponsor. The best action is to provide concise evidence, explain the business impact, and ask the sponsor to coordinate triage with the application team, payment processor, and WAF provider. This keeps remediation authorized, avoids conflicting changes, and helps the client manage operational risk to order processing. Direct provider outreach or unilateral mitigation could exceed authorization or disrupt production workflows.
Topic: Vulnerability Discovery and Analysis
A tester is preparing a preliminary vulnerability report after the active testing window has closed. The rules of engagement prohibit further active testing and credential attacks. The client asked the tester to separate confirmed findings from suspected findings.
| Evidence item | Evidence collected |
|---|---|
| Invoice API authorization | Two client-provided test accounts showed Account A could retrieve Account B invoice metadata; application logs correlate the 200 response. |
| Admin framework version | Scanner marked the framework as “possible outdated” based only on a missing security header. |
| Login password policy | Scanner warned of weak policy after three failed guesses; no lockout or policy evidence was collected. |
Which reporting decision is the BEST professional action?
Options:
A. Confirm the invoice API issue; mark the other two as suspected.
B. Confirm all three because each was identified by a scanner.
C. Run additional validation tests before classifying any finding.
D. Mark all three as suspected because no exploit was performed.
Best answer: A
Explanation: Confirmed findings require enough corroborating evidence to show that the issue exists in the tested environment. Here, the invoice API issue is confirmed because two authorized test accounts reproduced the cross-account access and application logs corroborated the response. The admin framework item is only suspected because the scanner inferred it from weak evidence. The password-policy item is also suspected because the rules prohibit more credential testing and the collected evidence does not prove a weak policy. A professional report should preserve evidence quality and clearly label confidence instead of overstating scanner output.
Topic: Reconnaissance and Enumeration
A penetration tester is authorized to perform DNS enumeration for corp.example and may query the domain’s authoritative name servers. The report must distinguish normal DNS records from misconfigurations that expose internal naming data.
Exhibit: DNS enumeration excerpt
corp.example. NS ns1.corp.example.
corp.example. NS ns2.provider.example.
corp.example. MX 10 mail.corp.example.
AXFR @ns1.corp.example corp.example: failed: REFUSED
AXFR @ns2.provider.example corp.example: succeeded
dev.corp.example. A 192.0.2.40
vpn.corp.example. A 192.0.2.41
mail.corp.example. A 192.0.2.25
payroll.corp.example. A 192.0.2.60
Which approach best maps to the requirements?
Options:
A. Report both name servers as refusing zone transfer
B. Perform unrestricted subdomain brute forcing against the provider
C. Report ns2.provider.example as allowing zone transfer
D. Treat the MX record as the primary misconfiguration
Best answer: C
Explanation: DNS enumeration commonly identifies authoritative name servers, mail exchangers, subdomains, and whether a zone transfer is permitted. Here, NS records identify the authoritative servers, and the MX record identifies mail infrastructure. The decisive issue is that AXFR against ns2.provider.example succeeded and returned hostnames such as dev, vpn, and payroll. A successful zone transfer from an authoritative server can disclose a broad inventory of targets and should be documented with the exposed records and remediation guidance, such as restricting transfers to authorized secondary servers only. The refused transfer from ns1 is not a finding by itself; the provider-hosted server is the concern.
ns1 refused; ns2 returned zone contents.Topic: Attacks and Exploits
During an authorized internal assessment, a tester reviews packet captures from a user VLAN. The rules of engagement allow passive analysis and reporting, but do not allow credential reuse or data exfiltration.
Exhibit: Evidence summary
- Multiple hosts received ARP replies mapping the default gateway IP to an unknown MAC address.
- Several HTTP sessions from user workstations traversed that MAC address before reaching the gateway.
- No evidence shows successful authentication to internal applications or database access.
Which report statement best maps this evidence to likely business impact?
Options:
A. On-path traffic interception could expose or alter unencrypted user traffic.
B. Only a denial-of-service condition is possible from this evidence.
C. The attacker compromised the internal database using stolen credentials.
D. The tester should reuse captured credentials to prove application impact.
Best answer: A
Explanation: ARP evidence showing the gateway IP mapped to an unexpected MAC address, combined with user HTTP sessions traversing that MAC, supports a likely on-path attack scenario. The business impact should be stated as potential exposure or manipulation of unencrypted traffic, session data, or user activity on that VLAN. Because the evidence does not show successful logins, database queries, or confirmed data theft, the report should not claim application or database compromise. The rules of engagement also prohibit credential reuse and exfiltration, so validation must stay within passive evidence and approved reporting boundaries. The key is to describe the demonstrated network risk without overstating unsupported downstream compromise.
Topic: Engagement Management
A penetration test is scheduled for a 6-hour overnight window. The rules of engagement list the in-scope target as “customer portal environment,” but the asset inventory shows a newly discovered host, api-payments-prod, with an owner field of “Shared Services” and a note that it processes live cardholder data. The test team has not previously discussed this host with the client. What is the BEST professional target-selection action?
Options:
A. Test only low-impact checks because the host name matches the portal
B. Proceed during the window and notify stakeholders afterward
C. Pause testing of the host and request written scope clarification
D. Exclude the host permanently from the final report
Best answer: C
Explanation: When scope language, ownership, or business criticality is unclear, the safest target-selection decision is to stop before interacting with the questionable asset and obtain written clarification through the agreed communication path. The host may be related to the customer portal, but the “Shared Services” owner and live cardholder-data note create authorization and business-impact uncertainty. A tester should not infer permission from a naming pattern or a broad environment label when the action could affect a sensitive production system.
The key takeaway is to preserve authorization and client trust first; testing can resume only after scope is clarified and any constraints are documented.
Topic: Reconnaissance and Enumeration
A tester wants to use a public reconnaissance script during an authorized external assessment. The tester reviews the engagement notes and the script header before execution. Which risk is most directly supported by the exhibit?
ROE: In scope: 203.0.113.0/28 and app.example.com only
ROE: Third-party SaaS/CDN providers are out of scope
Script: Expands discovered CNAMEs and probes all resolved hosts
Script: No allowlist; follows redirects; 50 concurrent HTTP requests
Options:
A. It is safe if run only during the testing window.
B. It cannot collect useful reconnaissance without credentials.
C. It may probe out-of-scope third-party hosts.
D. It proves that the CDN provider is vulnerable.
Best answer: C
Explanation: The core issue is authorization control when using scripts for reconnaissance. A public or unreviewed script can perform actions the tester did not intend, such as following redirects, expanding CNAMEs, or probing every resolved host. In this exhibit, the ROE limits testing to a specific IP range and one hostname, while the script has no allowlist and automatically contacts discovered infrastructure. That creates a direct risk of sending traffic to third-party SaaS or CDN systems that are explicitly out of scope. The safe next step would be to review and modify the script so it enforces the approved target list before execution.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, a tester created a temporary local user and a scheduled task on an in-scope Windows server to demonstrate controlled post-exploitation access. The rules of engagement require all tester-created artifacts to be removed, but the final report must include defensible evidence of impact and cleanup actions. What should the tester do before removing the artifacts?
Options:
A. Leave the artifacts for the client to inspect later
B. Create additional artifacts to confirm persistence survives reboot
C. Capture timestamps, screenshots, and command output showing the artifacts
D. Delete the artifacts immediately to reduce exposure time
Best answer: C
Explanation: Evidence preservation should happen before cleanup because artifact removal can destroy the proof needed for the report, client validation, and accountability. In this scenario, the tester must both restore the system and provide defensible evidence of what was created, why it mattered, and how it was removed. Appropriate evidence can include screenshots, timestamps, relevant command output, file paths, account names, task names, and cleanup verification notes, kept within the engagement’s evidence-handling requirements. Cleanup without documentation weakens the finding, while leaving artifacts or expanding testing can create unnecessary risk or exceed authorization. The key takeaway is to document tester-created artifacts first, then remove and verify removal according to the rules of engagement.
Topic: Reconnaissance and Enumeration
A penetration tester is preparing reconnaissance notes for later vulnerability analysis. Active testing is not yet approved.
Exhibit: Recon evidence
Source: certificate transparency + passive DNS
Collected: 2026-05-26 14:10 UTC
Host: build-dev.example.com
IP: 203.0.113.24
Observed: HTTPS title "Jenkins Dashboard"
Scope note: *.example.com is in scope for passive recon only
Which documentation action best preserves this evidence for the analysis phase?
Options:
A. Store the raw output with source, timestamp, scope note, and observed service.
B. Create a critical vulnerability finding for exposed Jenkins.
C. Delay documentation until active scanning confirms a vulnerability.
D. Record only that a Jenkins server may exist.
Best answer: A
Explanation: Reconnaissance evidence should be preserved in a way that supports later validation, correlation, and reporting. The key is to keep the original observation and its context: where it came from, when it was collected, what target it references, what was observed, and any scope limitation. This allows the vulnerability analysis phase to determine whether the host is still valid, whether active testing is authorized, and whether the evidence supports a finding. A passive recon result showing a Jenkins title is a lead, not yet proof of a vulnerability. The documentation should preserve evidence quality without overstating impact or taking unauthorized action.
Topic: Vulnerability Discovery and Analysis
A penetration tester is preparing a status update for a scoped staging web application. The rules of engagement allow read-only repository review and non-destructive runtime testing during a two-hour window. Which interpretation is the BEST professional decision?
Evidence:
| Finding | Evidence shown |
|---|---|
| Finding 1 | UserController.java:84 shows request input concatenated into a SQL query; tool displays a source-to-sink data flow. |
| Finding 2 | GET /search?q=test' returned HTTP 500 with a database syntax error; tool captured the request and response. |
Options:
A. Treat Finding 1 as source analysis and Finding 2 as runtime probing.
B. Treat Finding 1 as runtime probing and Finding 2 as source analysis.
C. Treat both findings as runtime probing because both relate to a web endpoint.
D. Treat both findings as source analysis because both mention SQL behavior.
Best answer: A
Explanation: Static application security testing analyzes code, configuration, or data flow without executing the application. Evidence such as file names, line numbers, and source-to-sink traces points to source analysis. Dynamic application security testing probes a running application and observes behavior, so request/response captures, HTTP status codes, and runtime error messages point to runtime probing. In this scenario, the professional update should classify the evidence accurately without overstating either result as confirmed exploitation.
Topic: Reconnaissance and Enumeration
During authorized OSINT for a penetration test, a tester finds a public search-engine result showing an exposed storage bucket named similar to the client’s brand. The rules of engagement allow passive reconnaissance only until ownership is confirmed. What documentation action best captures the evidence without overstating the finding?
Options:
A. Exclude the lead until the client confirms ownership
B. Report a confirmed critical data exposure finding
C. Record the source, timestamp, indicators, confidence, and ownership-validation need
D. Access the bucket to verify the contents
Best answer: C
Explanation: OSINT leads should be documented with evidence quality and confidence, not converted into confirmed findings before validation. In this scenario, the bucket name suggests a possible relationship to the client, but the engagement allows only passive reconnaissance until ownership is confirmed. The appropriate action is to preserve the observable facts, such as source, timestamp, naming indicators, screenshots or references, and a clear note that asset ownership and vulnerability status require validation through the approved stakeholder channel. This supports traceability without creating legal, ethical, or reporting risk. The key distinction is between documenting a lead and asserting a confirmed exposure.
Topic: Vulnerability Discovery and Analysis
During an authorized web application assessment, an unauthenticated vulnerability scanner flags an in-scope server as vulnerable to a critical remote code execution issue. The finding is based on a banner/version signature match. The rules of engagement permit scanning and authenticated configuration review, but prohibit exploit execution without separate written approval. The final report must distinguish suspected exposure from confirmed exploitability. What is the best next step?
Options:
A. Run a public exploit to prove the finding immediately.
B. Report the scanner alert as confirmed exploitable impact.
C. Remove the finding unless exploitation is demonstrated.
D. Validate installed version and configuration with authenticated evidence.
Best answer: D
Explanation: A scanner signature match is evidence of possible exposure, not proof that the vulnerability is exploitable in the target environment. Banner-based checks can be wrong because of backported patches, custom builds, disabled components, compensating configuration, or inaccurate service identification. Under these rules of engagement, the tester should strengthen the finding with permitted validation, such as authenticated package/version data, configuration evidence, patch status, and vendor advisory mapping. If exploitation is needed to confirm impact, it requires separate authorization. The report can then label the issue appropriately as suspected, validated by configuration, or confirmed exploitable based on the evidence actually obtained.
Topic: Vulnerability Discovery and Analysis
A penetration testing team is assessing a custom web application before release. The client provides read-only access to the source repository, but no test deployment is available. The rules of engagement prohibit sending test traffic to production. Which testing approach best maps to these requirements?
Options:
A. Run DAST against the production URL
B. Run SAST against the source repository
C. Run DAST after crawling the live application
D. Run a network vulnerability scan of the hosting subnet
Best answer: B
Explanation: Static application security testing (SAST) evaluates source code, bytecode, or binaries to identify insecure coding patterns before the application is running. In this scenario, the team has source access, no deployed test instance, and a rule that forbids production testing. Dynamic application security testing (DAST) evaluates a running application by interacting with it over its exposed interfaces, so it would require an authorized test deployment or approved target. The key distinction is whether the evidence comes from code analysis or observed runtime behavior.
Topic: Engagement Management
A penetration tester is preparing to test portal.example.com during an approved weekend window. The statement of work lists only the hostname, and DNS currently resolves it to a managed CDN/WAF provider. The rules of engagement state that third-party systems may not be tested without explicit written authorization. Which detail must be clarified before testing begins?
Options:
A. Whether the client prefers screenshots or logs as evidence
B. Which remediation owner will receive the finding
C. Whether the CDN/WAF provider environment is authorized in scope
D. Which severity rating scale the final report should use
Best answer: C
Explanation: Rules of engagement define what may be tested, when, and under whose authorization. Here, the named target resolves to infrastructure operated by a third party, and the ROE explicitly prohibits third-party testing without written approval. Before sending traffic, the tester must clarify whether that provider-hosted environment, including the resolved endpoints and protective services, is authorized and within scope. This protects the tester and client from unauthorized activity and prevents accidental testing of assets the client cannot legally approve.
Reporting format, evidence preferences, and remediation ownership matter later, but they do not resolve the immediate authorization gap.
Topic: Engagement Management
A penetration tester is reviewing a potentially critical web finding near the end of an authorized test window. Current time is Thursday 02:06 UTC.
Exhibit: Rules of engagement excerpt
| Item | Requirement |
|---|---|
| Active validation | Monday-Thursday, 22:00-02:00 UTC only |
| Passive review | Allowed anytime |
| High-risk evidence | Escalate within 30 minutes |
| Extra approval | Required before active testing outside the window |
Scan evidence indicates a possible unauthenticated access control bypass on an in-scope customer portal. What should the tester do next?
Options:
A. Wait until the next test window without notifying anyone
B. Immediately validate because the target is in scope
C. Escalate the evidence and request approval before validating further
D. Mark the issue confirmed based only on the scan result
Best answer: C
Explanation: Testing-window constraints control when active validation is allowed, even for in-scope systems. Here, the target is in scope, but the current time is outside the 22:00-02:00 UTC active validation window. The suspected access control bypass is high risk, so the ROE also requires escalation within 30 minutes. The tester should preserve the evidence, avoid additional active testing, and request approval through the defined escalation path before continuing. Scope does not override timing limits, and urgency does not justify unauthorized validation.
Topic: Post-Exploitation and Lateral Movement
A penetration tester is preparing the executive summary after an authorized internal test. The client requested business-focused wording and asked that operational details be kept in the technical appendix.
Exhibit: Post-exploitation evidence summary
| Evidence | Scope-safe observation |
|---|---|
| Initial access | Test user account reached one internal app server |
| Privilege path | Misconfigured service account allowed elevated access |
| Data access | Payroll share metadata and sample filenames were viewable |
| Limitation | No data was exfiltrated; proof was documented by screenshots |
Which statement is most appropriate for the executive summary?
Options:
A. The tester used post-exploitation techniques to enumerate shares and identify privilege escalation paths.
B. The service account password and exact privilege escalation method should be listed here.
C. A service account weakness could let an intruder expand access and expose payroll data.
D. Payroll data was stolen from the environment during the penetration test.
Best answer: C
Explanation: Executive summaries should translate technical evidence into business risk, impact, and priority without disclosing sensitive operational details. The exhibit supports a finding that elevated access was possible through a service account weakness and that payroll-related resources were exposed, but it does not support saying data was stolen. Details such as exact methods, commands, credentials, hashes, or step-by-step paths belong in the technical appendix for approved technical stakeholders. The executive wording should be accurate, concise, and useful for risk-based decision-making.
Topic: Engagement Management
A penetration tester is reviewing the rules of engagement before starting an active test. The current time is Wednesday, March 19, 2025, at 23:15 UTC. Which proposed activity is authorized to proceed?
Exhibit: Rules of engagement excerpt
| Item | Authorized scope/window |
|---|---|
| Network testing | 203.0.113.10-203.0.113.20, Mon-Thu 22:00-02:00 UTC |
| Web app testing | app.example.test, Saturday 10:00-14:00 UTC |
| Exclusions | 203.0.113.21, DoS testing, password attacks |
Options:
A. Run directory enumeration against app.example.test
B. Run a vulnerability scan against 203.0.113.15
C. Run a service scan against 203.0.113.21
D. Run a password spray against the VPN portal
Best answer: B
Explanation: Authorized testing must satisfy both documented target scope and the approved testing window. At 23:15 UTC on Wednesday, network testing is allowed because the window runs Monday through Thursday from 22:00 to 02:00 UTC, and 203.0.113.15 falls within 203.0.113.10-203.0.113.20. A target can still be unauthorized if the activity type or timing is not approved. Likewise, an in-window action is not allowed if the asset is excluded or the technique is prohibited. The safest professional decision is to proceed only with the activity that matches target, time, and allowed test type.
Topic: Attacks and Exploits
A penetration tester finds JavaScript references to /api/admin/reports during an authorized web application test. The rules of engagement allow only the two provided test accounts, prohibit high-volume automated attacks, and require report evidence as request/response pairs. The tester must determine whether a standard user can read admin-only report data without changing server state. Which tool category is the least intrusive fit?
Options:
A. Automated exploit framework targeting the API service
B. High-volume directory brute-forcer for hidden endpoints
C. API client or intercepting proxy for manual read-only checks
D. Credential-stuffing tool against the login workflow
Best answer: C
Explanation: The need is to validate a possible API authorization flaw while staying within strict rules of engagement. Because the tester has approved accounts and needs request/response evidence, a manual API client or intercepting proxy is the least intrusive category. It supports controlled role-based checks, preserves evidence, and can avoid write operations or disruptive traffic. A broader scanner or exploit framework would create unnecessary risk and may violate the prohibition on high-volume automated attacks.
Topic: Post-Exploitation and Lateral Movement
During an internal penetration test, the rules of engagement allow testing only the HR application server and two named database servers. The team obtained a low-privilege HR app account through approved password-spraying limits, used it to access the HR server, and captured evidence that the HR server’s service account could read employee records from DB-HR-01. No access was attempted against the finance network, which was out of scope. Which attack narrative best fits the final report?
Options:
A. The HR database was likely exposed to the internet because employee records were readable.
B. The team compromised the finance network after HR access and confirmed enterprise-wide lateral movement.
C. Approved password spraying led to HR server access, which exposed excessive service-account database permissions and employee-record impact within scope.
D. Weak passwords were found, so the report should focus only on password policy remediation.
Best answer: C
Explanation: An effective attack narrative should explain the chain of events using evidence the team actually collected: authorized initial access, what was observed after access, the demonstrated impact, and where testing stopped because of scope. Here, the defensible story is that an approved password-spraying activity produced a low-privilege HR account, that account enabled access to the HR server, and post-exploitation evidence showed excessive service-account access to employee records on the in-scope HR database. The narrative should also state that finance systems were out of scope and were not tested. Avoid adding unverified exposure paths or claiming broader compromise than the engagement supported.
Topic: Attacks and Exploits
During an authorized penetration test of a multi-tenant SaaS API, you are assigned a read-only test account in tenant Red. The rules of engagement allow access-control validation with provided test accounts, but prohibit bulk enumeration and access to real customer data. You change only the object identifier in a request and observe the following:
GET /api/v2/projects/1842 -> 200 OK
Response: tenant=Red, projectName=Quarterly Plan
GET /api/v2/projects/2199 -> 200 OK
Response: tenant=Blue, projectName=Acquisition Prep
What is the BEST professional decision?
Options:
A. Classify the issue as low risk because the account is read-only.
B. Report a BOLA finding with minimal evidence and recommend object ownership checks.
C. Attempt an update request to prove write-level impact.
D. Continue incrementing project IDs to measure the affected tenant count.
Best answer: B
Explanation: Broken object-level authorization occurs when an API authorizes the user but fails to verify that the requested object belongs to that user, role, or tenant. Here, a Red tenant account can retrieve a Blue tenant project by changing only the project identifier. That is enough evidence of a cross-tenant authorization flaw, even if the account is read-only. Because the rules prohibit bulk enumeration and real customer data access, the professional decision is to stop expansion, preserve minimal proof, notify through the agreed channel, and recommend server-side object ownership and tenant-boundary checks. Proving additional impact by enumerating IDs or attempting writes would exceed the safest evidence needed under the stated authorization.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, a tester obtains post-exploitation evidence that a compromised service account can read a production database containing customer payment records. The rules of engagement state: “For evidence of production data exposure or operational impact risk, immediately pause testing on the affected system and notify the client security POC and the engagement manager using the critical-finding escalation channel.” What should the tester do next?
Options:
A. Collect several payment records to prove impact
B. Pause testing and escalate through the critical-finding channel
C. Wait and include the issue in the final report
D. Notify the database administrators directly
Best answer: B
Explanation: High-risk post-exploitation evidence, especially potential production data exposure, should trigger the notification path defined in the rules of engagement. The tester should preserve evidence already obtained, avoid unnecessary data access, pause activity on the affected system, and notify the authorized stakeholders through the specified critical-finding channel. This protects the client, maintains authorization boundaries, and allows the client to decide on containment or business-impact actions. Continuing to gather sensitive records may increase harm and legal exposure rather than improve evidence quality.
Topic: Vulnerability Discovery and Analysis
A penetration testing team is assessing 60 in-scope internal servers. The rules of engagement allow scanner logins with approved read-only credentials during the maintenance window. The client wants high-confidence evidence of missing OS patches and insecure local configuration settings without exploit attempts. Which scanning approach best meets these requirements?
Options:
A. Attempt exploitation of each suspected finding
B. Run an authenticated vulnerability scan
C. Use administrator credentials to change settings
D. Run only an unauthenticated port scan
Best answer: B
Explanation: Authenticated vulnerability scanning logs in with approved credentials and can inspect local evidence such as installed packages, patch levels, registry or configuration settings, and service details. That maps directly to the client’s need for higher-confidence findings about missing patches and insecure local configurations without exploit attempts. Unauthenticated scanning is useful for an outside-looking-in view of exposed services, banners, and reachable vulnerabilities, but it often has less visibility into host state and can produce more uncertainty for patch/configuration findings. The key distinction is that authorized access increases evidence quality while still staying within the rules of engagement.
Topic: Engagement Management
A penetration test team is planning authenticated dynamic testing for a payment application. Which planning action best reduces operational disruption while preserving the test objective?
Exhibit: Rules-of-engagement excerpt
| Item | Requirement |
|---|---|
| Objective | Validate risk in the externally exposed payment app |
| In-scope targets | pay.example.com, pay-stg.example.com |
| Production window | 22:00-04:00 UTC only |
| Staging note | Mirrors production; approved anytime |
| Constraint | Avoid actions likely to affect checkout availability |
Options:
A. Run the full authenticated scan against production immediately.
B. Use staging for intrusive validation and production only during the approved window.
C. Test a similar payment domain not listed in scope.
D. Exclude checkout workflows from all testing.
Best answer: B
Explanation: The core planning concept is aligning testing intensity with the rules of engagement. The objective is still to validate risk in the externally exposed payment app, so the team should not simply avoid key workflows or move to an unapproved target. The exhibit provides two disruption controls: production testing is limited to 22:00-04:00 UTC, and staging mirrors production and is approved anytime. A sound plan uses staging for intrusive validation and reserves production activity for the approved window, keeping evidence relevant while reducing the chance of checkout disruption. The key is to preserve authorized coverage, not reduce risk by abandoning the objective.
Topic: Post-Exploitation and Lateral Movement
During an authorized post-exploitation phase on an in-scope file server, a tester confirms access to sensitive customer records and a control that could disrupt nightly order processing. The rules of engagement require critical findings or operational-risk evidence to be reported within 1 hour to the engagement manager and client security POC. Lateral movement requires separate approval. What is the BEST professional decision?
Options:
A. Send sample customer records directly to the system owner
B. Wait and document the evidence in the final report
C. Continue lateral movement to measure the full business impact
D. Pause the risky activity and notify the defined escalation contacts
Best answer: D
Explanation: High-risk post-exploitation evidence changes the tester’s priority from further exploration to controlled escalation. Because the rules of engagement define a critical notification path and timing requirement, the tester should pause activity that could increase risk, preserve only necessary evidence, and notify the engagement manager and client security POC. The separate approval requirement for lateral movement also prevents expanding the test to gather more impact detail without authorization. The key is to communicate through the approved chain quickly while avoiding unnecessary exposure of sensitive data.
Topic: Reconnaissance and Enumeration
During an authorized internal penetration test, the rules of engagement allow enumeration only against hosts in 10.10.20.0/24 during a 2-hour window. The client asks you to prioritize evidence that could lead to unauthorized administrative access without disrupting production.
Exhibit: Nmap-style summary
10.10.20.15 22/tcp open ssh OpenSSH
10.10.20.25 445/tcp open microsoft-ds Windows file sharing
10.10.20.40 5432/tcp open postgresql PostgreSQL
10.10.30.10 3389/tcp open ms-wbt-server RDP
Which target should you enumerate first?
Options:
A. 10.10.30.10 on TCP 3389
B. 10.10.20.25 on TCP 445
C. 10.10.20.40 on TCP 5432
D. 10.10.20.15 on TCP 22
Best answer: B
Explanation: The key decision is prioritizing authorized enumeration based on scope and likely impact. The RDP service appears interesting, but 10.10.30.10 is outside the allowed 10.10.20.0/24 range, so it must not be targeted. Among the in-scope hosts, SMB on TCP 445 is commonly relevant to administrative access paths because it can expose domain, share, signing, session, or account-related information during safe enumeration. SSH and PostgreSQL may still be valid later targets, but the stem asks for the first target that best supports evidence of unauthorized administrative access without exceeding scope.
10.10.20.0/24, regardless of potential impact.Topic: Attacks and Exploits
During an authorized web application test, the team reports that an API endpoint is vulnerable to broken object-level authorization. The rules of engagement allow testing only with two provided test accounts and prohibit accessing real customer records. Which evidence would BEST support the reported exploit-related finding?
Options:
A. A scanner result that labels the endpoint as a critical authorization flaw
B. Paired requests showing one test account retrieving the other test account’s seeded record
C. A screenshot showing the endpoint path and response status code
D. A production customer record retrieved through the vulnerable endpoint
Best answer: B
Explanation: Exploit-related evidence should prove the finding, show impact, and stay within authorization. For a broken object-level authorization finding, the strongest evidence is a controlled comparison: one provided test account can access a record seeded for another provided test account. Including timestamps, request IDs, redacted tokens, and a non-sensitive response excerpt would support reproducibility and remediation without exposing real customer data. A tool label or endpoint screenshot may be useful supporting context, but it does not prove unauthorized object access. Accessing production customer records would exceed the stated rules of engagement.
Topic: Reconnaissance and Enumeration
During an authorized identity enumeration of a cloud tenant, a tester uses only the approved low-privilege account. Which reporting conclusion is best supported by the exhibit?
Scope note: contoso.com tenant and cloud SSO mappings are in scope
Test account: enum.tester@contoso.com
Tenant: Contoso Holdings | Primary domain: contoso.com
Group: AWS-Prod-Admins | Type: Security | Visibility: Public
Readable members: j.smith@contoso.com, svc-deploy@contoso.com
Enterprise app assignment: AWS IAM Identity Center -> AWS-Prod-Admins -> AdministratorAccess
Directory role details: not readable by test account
Options:
A. The AWS SSO mapping is out of scope for this engagement.
B. A readable group maps named identities to AWS production admin access.
C. The service account password was exposed through group membership.
D. Anonymous users can enumerate Global Administrator membership.
Best answer: B
Explanation: Identity enumeration findings should report what the evidence supports without overstating compromise. Here, the tester used an approved low-privilege account and found a public security group whose readable membership is assigned to AWS IAM Identity Center with AdministratorAccess. That supports a conclusion that named identities and a service account are exposed as likely production cloud administrators. The exhibit does not show passwords, successful authentication, or readable tenant administrator roles.
The key takeaway is to connect account, group, role, and tenant data into a defensible privilege-mapping conclusion, then recommend authorized validation or stakeholder confirmation.
Topic: Attacks and Exploits
During an authorized external web application test, the rules of engagement allow only non-disruptive authentication testing and prohibit account takeover. You observe that the login page allows repeated failed attempts, exposes whether a username is valid, and does not require MFA for privileged users. No successful login or confirmed account compromise occurred. Which approach best maps to these requirements?
Options:
A. Classify the finding as confirmed account compromise
B. Report the issue only if a privileged login is confirmed
C. Perform a broad password spray to prove exploitability
D. Report weak authentication controls as increased account-abuse risk
Best answer: D
Explanation: Weak authentication controls can create a valid penetration test finding even when no account has been compromised. In this scenario, repeated login attempts, username enumeration, and lack of MFA increase the likelihood and potential impact of password spraying, brute-force attempts, or account abuse. The tester should report the observed control weaknesses, explain the realistic risk, include the fact that no compromise was confirmed, and recommend controls such as MFA, rate limiting, lockout or throttling, and reduced login feedback. This preserves evidence quality and stays within the rules of engagement. Claiming compromise or performing expanded guessing would overstate evidence or create unauthorized risk.
Topic: Attacks and Exploits
During an authorized web application test, a tester confirms an injection flaw. The screenshot intended for the final report shows the vulnerable parameter, a full session token, and several customer records returned as proof. The client requires enough evidence for developers to reproduce and prioritize the issue, but the report will be shared with executives and a third-party remediation vendor. What should the tester do before including this evidence in the report?
Options:
A. Include the original screenshot to maximize technical credibility
B. Publish a full exploit example so developers can reproduce it
C. Omit all evidence and describe only the vulnerability category
D. Redact tokens and customer data while preserving the request context
Best answer: D
Explanation: Exploit evidence should support the finding without creating new risk. In this scenario, the report has a broad audience, including a third party, and the raw proof contains session credentials and customer data. The appropriate handling is to sanitize or redact sensitive values, keep only the minimum evidence needed to show impact, and preserve enough context for the client to understand the affected parameter, response behavior, and remediation priority. If unredacted artifacts are required, they should be handled separately under the engagement’s evidence-handling process, not placed in the widely shared report. The key takeaway is that proof of exploitability does not justify exposing secrets, PII, or reusable exploit details in the report body.
Topic: Attacks and Exploits
During an authorized web application test, a tester validates a URL import feature. The rules of engagement allow safe callbacks to a tester-controlled listener but prohibit retrieving cloud metadata or secrets. The listener receives a request from the application subnet, and the cloud proxy generates an alert: metadata service access denied from web-importer. The testing window ends in 30 minutes, and cloud-control alerts require same-day escalation. What is the BEST professional decision?
Options:
A. Stop testing and report the blocked SSRF evidence
B. Exclude the finding and notify only the SOC
C. Continue testing until metadata content is retrieved
D. Close the issue because the proxy blocked access
Best answer: A
Explanation: A compensating control can prevent full exploitation while still producing reportable evidence. Here, the application made an outbound request and the cloud proxy blocked attempted metadata access from the application component. That behavior supports a finding because the URL import feature can cause server-side requests toward sensitive cloud resources, even though the proxy prevented secret retrieval. The professional action is to preserve the listener and proxy evidence, stop before violating the rules of engagement, escalate as required, and recommend remediation such as strict URL allowlisting, metadata access controls, and egress restrictions. A blocked exploit path is not the same as no vulnerability.
Topic: Attacks and Exploits
During an authorized test of a customer-support AI assistant, the rules of engagement allow non-destructive validation only and prohibit accessing real customer records. The assistant can summarize URLs and can use approved ticketing and CRM tools. When the tester submits a company-controlled test page for summarization, hidden text on the page causes the assistant to attempt a CRM lookup and draft an outbound message, even though the user only asked for a summary. What is the BEST professional decision?
Options:
A. Complete the CRM lookup to prove real customer data exposure
B. Dismiss the issue because the user did not enter the malicious instruction
C. Classify the issue as ordinary cross-site scripting
D. Report indirect prompt injection with safe evidence and boundary-control recommendations
Best answer: D
Explanation: Indirect prompt injection occurs when untrusted content, such as a web page, document, email, or retrieved record, contains instructions that influence an AI application’s response or tool use. In this scenario, the hidden page text caused the assistant to attempt actions outside the user’s intent by invoking CRM-related behavior. Because the engagement prohibits accessing real customer records, the professional choice is to preserve safe evidence, describe the attempted tool use, and recommend controls such as separating retrieved content from system instructions, enforcing tool allowlists, requiring user confirmation for sensitive actions, and applying data-boundary checks. The key is to validate impact safely without turning the test into unauthorized data access.
Topic: Post-Exploitation and Lateral Movement
During an authorized test, a tester obtains a low-privilege shell on an in-scope application server 40 minutes before the approved testing window ends. The rules of engagement allow proof-of-access and local privilege-escalation assessment on in-scope hosts, but prohibit persistence, credential dumping, lateral movement, and access to production customer data. The client wants evidence of business impact without service disruption. What is the BEST post-exploitation objective?
Options:
A. Dump password hashes for offline cracking
B. Document local privilege-escalation evidence on the compromised host
C. Install a temporary backdoor for retesting
D. Pivot to the database server to prove data access
Best answer: B
Explanation: Post-exploitation objectives must be tied directly to the rules of engagement and current scope facts. Here, the tester has access to an in-scope host, limited time, and a client need for impact evidence. The ROE specifically permits proof-of-access and local privilege-escalation assessment, so collecting safe evidence of local privilege-escalation exposure is the best professional objective. Actions involving credential dumping, lateral movement, persistence, or production customer data access are explicitly prohibited, even if they might demonstrate greater impact. The key takeaway is to maximize evidence value within authorization, not to expand activity because access was obtained.
Topic: Engagement Management
During an authorized web application penetration test, you confirm that customer invoices are exposed through a misconfigured storage integration. The application team owns the code, the cloud team owns the storage account, and the integration is managed by a third-party provider. The rules of engagement require critical findings to be escalated through the client’s primary point of contact before any provider communication. What is the best communication action?
Options:
A. Send the finding to all involved teams to speed remediation
B. Wait for the final report to avoid disrupting the engagement
C. Escalate to the client POC with concise evidence and affected-team details
D. Contact the third-party provider directly with the technical details
Best answer: C
Explanation: Stakeholder communication discipline means following the rules of engagement and using the agreed communication chain, especially when a finding spans multiple owners. Here, the issue affects application, cloud, and third-party responsibilities, but the ROE says provider communication must go through the client’s primary point of contact. The tester should provide concise, validated evidence, impact, urgency, affected systems, and ownership notes so the client can coordinate remediation and vendor contact without creating legal or contractual risk.
The key takeaway is to escalate clearly and early through authorized channels, not around them.
Topic: Attacks and Exploits
During an authorized web application test, the rules of engagement allow authentication testing against portal.example.com using only the provided test account. The client states that conditional access and MFA should block all unmanaged devices, and any suspected control bypass must be reported within 1 hour. The browser login from the tester’s unmanaged VM was denied, but a legacy mail protocol endpoint accepted the same test credentials and returned only mailbox folder names. What is the BEST professional decision?
Options:
A. Report a likely control bypass with the protocol evidence
B. Classify the result as a failed attempt because MFA blocked the browser
C. Test additional employee accounts against the legacy endpoint
D. Download sample messages to prove the mailbox impact
Best answer: A
Explanation: A failed attempt means the tested control prevented the access path being assessed. Here, the evidence is mixed: the browser path was blocked, but the same authorized test account accessed mailbox metadata through a legacy protocol from the unmanaged device. That indicates a likely control bypass or coverage gap, not a clean failure. Because the rules of engagement restrict testing to the provided account and require fast notification for suspected bypasses, the professional action is to preserve minimal evidence, avoid accessing message contents, and escalate the finding promptly. The key distinction is whether any alternate authorized path achieved access that the control was supposed to prevent.
Topic: Attacks and Exploits
A penetration tester is reviewing a tool-result summary during an authorized production web application test. The rules of engagement allow non-destructive validation only, require same-day escalation of potential critical findings, and prohibit testing outside the approved window, which ends in 20 minutes.
Exhibit: Scanner summary
Target: https://app.example.com/api/orders
Finding: Possible OS command injection
Evidence: One time-delay anomaly on parameter "sort"
Confidence: Low
Impact rating: Critical if confirmed
Notes: Application latency is currently unstable
What is the BEST next professional action?
Options:
A. Run an exploitation framework to obtain command execution proof before the window ends
B. Escalate the potential critical finding with confidence limits and request controlled validation approval
C. Report the issue as a confirmed critical command injection finding
D. Defer all communication until the final report is delivered
Best answer: B
Explanation: The core issue is defensible handling of low-confidence tool evidence under rules of engagement. The scanner shows a potentially critical weakness, but the evidence is only one time-delay anomaly and the application is already experiencing unstable latency. That makes the result insufficient to claim confirmed command injection. Because the ROE requires same-day escalation for potential critical findings, the tester should communicate promptly, include the evidence and confidence limits, and request approval or a follow-up window for controlled validation. This balances business risk, evidence quality, and authorization boundaries. The key takeaway is that a tool alert can justify escalation, but not unauthorized exploitation or overconfident reporting.
Topic: Attacks and Exploits
During an authorized internal penetration test, a tester reviews host-based privilege escalation evidence from an in-scope Windows application server. The rules of engagement allow validation by configuration review only, and the server supports a revenue-critical application.
Evidence: A third-party update service runs as LocalSystem, starts automatically, and loads its executable from a directory where the local Users group has modify permissions. No missing OS security patches are reported.
Which remediation direction is the BEST professional recommendation?
Options:
A. Disable the revenue-critical service until a replacement is deployed
B. Perform live exploit validation to prove privilege escalation impact
C. Prioritize operating system patching during the next maintenance window
D. Restrict service directory permissions and use a least-privileged service account
Best answer: D
Explanation: The core issue is a host-based privilege escalation path caused by weak service hardening: a high-privilege service loads code from a location writable by low-privilege users. Because the service runs as LocalSystem, modifying what it loads could allow privilege escalation. The best remediation direction is to remove unnecessary write access and run the service with only the privileges it needs. This maps the observed evidence to hardening and least privilege without exceeding the rules of engagement or disrupting a critical business service. Patching is important when a missing update is the cause, but the stem says no missing OS security patches were reported.
Topic: Reconnaissance and Enumeration
During passive OSINT for an authorized penetration test, a tester finds several assets that appear related to the client but are not listed in the rules of engagement.
Exhibit:
| Source | Evidence |
|---|---|
| ROE scope | acme.com, 203.0.113.0/28, AWS account 111122223333 |
| ROE note | Escalate suspected client-owned assets not listed in scope |
| Git repository | github.com/acme-labs/mobile-api, recent commits by @acme.com users |
| SaaS tenant | Repository config references acme-dev.example-sso.com |
What is the best next action?
Options:
A. Test the SaaS tenant because it uses the client name
B. Add the repository to the final report as confirmed in scope
C. Request scope clarification for the repository and SaaS tenant
D. Ignore the repository because GitHub is third-party hosted
Best answer: C
Explanation: Shadow IT leads are assets that appear connected to the client but are not explicitly authorized in the rules of engagement. Here, the GitHub organization, corporate commit authors, and referenced SaaS tenant create a reasonable ownership correlation, but neither the repository nor the SaaS tenant is listed in scope. The ROE also gives a clear instruction: escalate suspected client-owned assets that are not listed. The professional action is to document the evidence and request scope clarification before interacting with or testing those assets.
The key distinction is correlation versus authorization: OSINT evidence can justify escalation, but it does not expand testing scope by itself.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, the tester obtains read access to a file share used by Finance. The rules of engagement allow validating business impact but prohibit opening or copying sensitive records unless explicitly approved. A directory listing shows files named payroll_2025.xlsx, merger_terms.pdf, and vendor_tax_forms.zip. The test window ends in 30 minutes, and the client wants evidence suitable for the final report. What is the BEST professional decision?
Options:
A. Capture metadata and request approval before accessing file contents
B. Open each file briefly to confirm the data classification
C. Copy one representative file as proof of access
D. Continue browsing subfolders to find higher-impact records
Best answer: A
Explanation: Business-impact validation should prove the risk without unnecessarily exposing sensitive data. In this scenario, the filenames, share path, permissions, timestamps, and access context can demonstrate likely impact while staying within the rules of engagement. Because the ROE explicitly prohibits opening or copying sensitive records without approval, the professional next step is to preserve low-risk evidence and ask the client for authorization if deeper validation is needed.
The key takeaway is to collect enough evidence to support the finding, not to maximize data exposure.
Topic: Attacks and Exploits
During an authorized external authentication test, a client asks you to classify the observed account-abuse pattern for the report. The rules of engagement allow only non-destructive login validation and require evidence-based labeling.
Exhibit: Authentication evidence
| Clue | Observation |
|---|---|
| Usernames | 620 valid corporate emails |
| Password source | Matching values from a third-party breach corpus |
| Attempt pattern | One username/password pair tried per account |
| Result | 14 successful logins |
Options:
A. Brute force
B. Credential stuffing
C. Session hijacking
D. Password spraying
Best answer: B
Explanation: Credential stuffing is identified by the use of known or suspected valid credential pairs, usually gathered from breaches, and replayed against another service. In this scenario, the decisive clue is not just many accounts being tested; it is that each account is tested with a matching password value from a third-party breach corpus. Password spraying would use one or a few common passwords across many accounts. Brute force would focus on guessing many passwords, often against one or a small set of accounts. The report should label the finding based on the credential source and attempt pattern, not only the number of login attempts.
Topic: Attacks and Exploits
During an authorized web and cloud penetration test, you confirmed a chained attack path: an external application disclosed an internal API reference, a low-privilege test account could access other tenants’ invoice metadata, and the linked storage role allowed read access to sample invoice files. The client requests report wording for executives and engineers, but the rules of engagement prohibit reusable exploitation steps. Which wording is the BEST fit?
Options:
A. “Run the same sequence against each tenant by following the discovered API reference, reusing the low-privilege session, and reading the linked storage objects.”
B. “Chained weaknesses in error handling, API authorization, and storage role permissions could allow cross-tenant invoice exposure; prioritize authorization checks, least-privilege storage access, and error-message reduction.”
C. “A confirmed public data breach occurred, so all external applications must be taken offline immediately.”
D. “The findings are three isolated low-risk issues because each weakness requires another weakness to become useful.”
Best answer: B
Explanation: Report language for chained risk should connect the evidence-supported weaknesses into a clear business impact while avoiding operational details that would make the attack reusable. In this case, the meaningful risk is not just an error message, an API authorization flaw, or a storage permission issue in isolation. The risk is that the weaknesses combine to expose cross-tenant invoice data. Good wording should state the chain at a high level, identify the affected data and likely impact, and give remediation direction such as authorization enforcement, least privilege, and reduced information disclosure. It should not include request sequences, payloads, object paths, or other instructions that help someone reproduce the attack outside the authorized context.
Topic: Attacks and Exploits
During an authorized web application test, an automated scan flags a possible IDOR in a staging API. The rules of engagement allow only the two provided test accounts, prohibit exploit frameworks, and require request/response evidence for any reported access-control finding. Which tool category is the BEST choice to validate the finding within scope?
Options:
A. Password-audit tool
B. Network sniffer
C. Exploit framework
D. Intercepting web proxy
Best answer: D
Explanation: Tool category selection should match the evidence needed and the authorization limits. An intercepting web proxy is designed to capture, modify, and compare web requests and responses, which fits a safe IDOR validation using only the provided test accounts. A scanner produced the initial lead, but the finding needs targeted confirmation. The rules also prohibit exploit frameworks and do not authorize credential attacks. The key distinction is that a proxy provides application-layer HTTP evidence, while other tool categories produce different evidence types or exceed the engagement constraints.
Topic: Vulnerability Discovery and Analysis
During an authorized internal penetration test, a vulnerability scanner flags a production web server as critical based on a service banner. The rules of engagement allow authenticated scanning and configuration review but prohibit exploit attempts against production systems without written approval. The client also notes that the OS vendor often backports security fixes.
Exhibit: Scanner finding
Host: web-prod-03
Service: HTTPS
Detected: WebServerX 4.2.1
Finding: CVE match by version signature
Validation: No exploit or patch-level check performed
Confidence: Medium
What is the BEST professional decision?
Options:
A. Report the finding as confirmed exploitable
B. Validate patch status through approved authenticated evidence
C. Run a public proof-of-concept during the window
D. Remove the finding because backporting is possible
Best answer: B
Explanation: A scanner signature match, especially one based only on a banner or version string, indicates a potential vulnerability rather than proof that the target is exploitable. Backported patches, disabled modules, compensating configuration, or vendor-specific packaging can make the version appear vulnerable while the actual fix is present. Because the rules of engagement allow authenticated scanning and configuration review but prohibit exploitation, the professional next step is to gather approved evidence such as package patch level, vendor advisory mapping, configuration state, or authenticated scan details. The finding can then be reported with the right confidence level: confirmed if evidence supports exposure, or potential/needs validation if it does not. The key distinction is evidence quality, not the scanner label severity.
Topic: Reconnaissance and Enumeration
During an authorized internal assessment, a tester is surveying a production warehouse subnet that is in scope. The rules of engagement prohibit disruptive testing during business hours, and operations reports that conveyor monitoring depends on devices in this range. Discovery shows mDNS names such as cam-loadingdock-01, an SNMP description of PLC gateway, and open MQTT/CoAP services. What is the best professional decision?
Options:
A. Pause deep enumeration and coordinate low-impact IoT testing with operations
B. Exclude the subnet from the report because IoT devices were unexpected
C. Attempt default credentials on all discovered web interfaces
D. Run an aggressive authenticated vulnerability scan across the subnet
Best answer: A
Explanation: IoT and embedded-device clues include device naming patterns, industrial protocol exposure, SNMP descriptions, mDNS/UPnP advertisements, MAC OUIs, and lightweight protocols such as MQTT or CoAP. In this scenario, the subnet is authorized, but the evidence suggests production operational technology or embedded systems tied to warehouse monitoring. These devices may be more sensitive to aggressive discovery, malformed probes, or high-volume scanning than standard IT hosts. The professional decision is not to ignore the scope, but to adjust the test approach: confirm ownership, coordinate with operations, use approved low-impact methods, and schedule deeper validation in an agreed window. The key takeaway is that discovery evidence should change testing caution, not justify unsafe probing.
Topic: Attacks and Exploits
During an authorized cloud application test, a URL preview feature was safely validated as making server-side requests to the compute metadata service. The tester confirmed that metadata service v1 is enabled and the attached workload role has broad object-storage permissions. The client asks for the best remediation direction for the demonstrated weakness.
Options:
A. Enable public object-storage block settings
B. Increase web application logging retention
C. Require MFA for interactive cloud admins
D. Harden metadata service access for the workload
Best answer: D
Explanation: The core issue is unsafe access to cloud instance metadata from an application that can initiate server-side requests. A remediation direction should reduce the chance that an SSRF-style weakness can retrieve temporary workload credentials. Appropriate controls include requiring token-based metadata service access, restricting metadata access from containers or application processes where possible, and reducing the attached role to least-privilege permissions. Public object-storage protections and admin MFA may be valuable elsewhere, but they do not directly fix metadata exposure from this workload. The key takeaway is to remediate the cloud control path demonstrated by the evidence, not a different cloud risk.
Topic: Engagement Management
During an authorized external penetration test, a tester identifies a likely critical authentication bypass at 10:52 p.m. The rules of engagement allow active validation only from 8:00 p.m. to 11:00 p.m. and require the client contact to approve any extension. The safe validation procedure is expected to take about 20 minutes, and there is no evidence of active compromise. What should the tester do next?
Options:
A. Skip validation and include only the scanner output in the final report
B. Begin validation immediately and finish after 11:00 p.m.
C. Escalate to the client contact and schedule approved validation
D. Trigger the emergency incident-response process
Best answer: C
Explanation: Testing-window constraints are part of the authorization boundary. Even when a likely critical issue is found, active validation must stay within the approved window unless the rules of engagement define an escalation path for extending it. Here, the validation step is expected to exceed the remaining time, and there is no evidence of active compromise that would justify emergency handling. The professional approach is to preserve the evidence, notify the authorized contact, and obtain approval for an extension or a later validation window. This protects legal authorization while still ensuring the finding can be validated and reported accurately.
Topic: Attacks and Exploits
During an authorized assessment, a tester uses a client-provided low-privilege account to validate account-access controls. Which reporting conclusion is best supported by the exhibit?
Exhibit: Access validation note
Test identity: analyst-test@example.com
Credential source: issued by client for testing
Action: requested /api/accounts/8842/export
Account 8842 owner: different business unit
Authentication result: success
Authorization decision: allow by policy accounts:read:*
Failed login attempts: none observed
Leaked secrets found: none observed
Options:
A. Credential stuffing against the login portal
B. Credential exposure from leaked account secrets
C. Permission misuse due to overbroad authorization
D. Password spraying against business-unit users
Best answer: C
Explanation: This exhibit supports permission misuse, not credential exposure. The tester used credentials explicitly issued by the client, and the key failure occurred after successful authentication: the authorization policy allowed accounts:read:* access to data owned by another business unit. Credential exposure evidence would involve discovered secrets, leaked passwords, tokens in code, or compromised credential material. Here, the risk is that a legitimate low-privilege identity can misuse excessive permissions to access data it should not be authorized to read.
The key distinction is authentication versus authorization: the login was valid, but the access decision was too broad.
Topic: Attacks and Exploits
During an authorized internal penetration test, you obtained local administrator access to one in-scope Windows workstation. The rules of engagement allow configuration review and screenshots but prohibit dumping memory, extracting password hashes, or viewing user secrets. Critical credential exposures must be reported the same business day.
Exhibit: Local evidence
HKLM\...\Winlogon: AutoAdminLogon = 1
HKLM\...\Winlogon: DefaultUserName = svc_backup
HKLM\...\Winlogon: DefaultPassword = <redacted by tester>
C:\Temp\lsass_2025.dmp: readable by local Users group
Local Administrators: HelpdeskShared enabled, password never expires
What is the BEST professional decision?
Options:
A. Dump LSASS to confirm which credentials are recoverable
B. Use the service account to test lateral movement immediately
C. Delete the dump file and disable the shared account
D. Escalate a credential dumping exposure with redacted evidence
Best answer: D
Explanation: Credential dumping risk can be identified from exposure clues without performing prohibited extraction. AutoAdminLogon with a DefaultPassword value indicates plaintext credential storage, a readable LSASS dump may contain recoverable credentials from memory, and a shared local administrator account increases the blast radius if credentials are obtained. Because the rules prohibit dumping memory, extracting hashes, or viewing secrets, the professional action is to preserve redacted evidence, escalate the critical finding, and recommend remediation such as removing plaintext credentials, deleting protected dump artifacts through the client’s process, rotating affected credentials, and replacing shared local admin use with managed local credentials. The key is to report the demonstrated exposure, not to prove it by violating authorization.
Topic: Attacks and Exploits
A tester is validating a web application finding under rules of engagement that allow read-only authorization checks only. The tester captures this evidence:
Session user: customer 1044
Request: GET /api/invoices/8832
Response: 200 OK
invoiceOwner: customer 2077
Returned fields: name, billing address, invoice total, card last4
Write actions attempted: none
Server-side errors observed: none
Which impact category should be assigned in the report?
Options:
A. Service disruption
B. Code execution
C. Account action
D. Data exposure
Best answer: D
Explanation: This finding’s impact is data exposure because the proof shows unauthorized read access to another customer’s invoice details. The response includes personal and billing-related information for a different account owner, and the tester stayed within the read-only validation allowed by the rules of engagement. There is no evidence that the tester changed account state, triggered a privileged workflow, executed server-side code, or affected application availability. A report should describe the access-control weakness, the exposed data types, and the affected object context without overstating the demonstrated impact.
Topic: Vulnerability Discovery and Analysis
A tester is reviewing DAST evidence for an in-scope customer portal during an authorized assessment. Only non-destructive validation with the provided test account is allowed, and the report must use the most accurate weakness category supported by the evidence.
Finding summary:
| Evidence | Observation |
|---|---|
| Endpoint | GET /download?file=invoice.pdf |
| Test input | File name with parent-directory sequences |
| Response | 200 OK, text file returned |
| Content | Application configuration values, not an invoice |
| Notes | No SQL errors, no record changes |
Which reporting decision is the BEST professional choice?
Options:
A. Report IDOR with evidence of another user’s invoice access
B. Report path traversal with evidence of unintended file access
C. Report stored XSS with evidence of persistent script execution
D. Report SQL injection with evidence of query manipulation
Best answer: B
Explanation: The finding is best categorized as path traversal, also called directory traversal. The decisive evidence is that a file-download parameter accepted parent-directory sequences and returned a server-side configuration file instead of the intended invoice. That supports unintended file access through path manipulation, not database query manipulation, authorization bypass between objects, or script execution. Because the rules allow only non-destructive validation, the tester should report the category using the observed response and avoid expanding testing beyond the approved scope. The key takeaway is to classify the weakness by the mechanism proven by the evidence, not by the tool that found it.
Topic: Vulnerability Discovery and Analysis
A tester is reviewing an unauthenticated vulnerability scan for an in-scope web application. The rules of engagement allow only non-destructive validation unless the client approves further testing.
| Finding | Scanner evidence | App notes |
|---|---|---|
| Critical framework RCE | Version inferred from HTTP headers | App sits behind a reverse proxy; no endpoint-specific proof shown |
Which validation approach best addresses the uncertainty in this finding?
Options:
A. Confirm the vulnerable component and version are actually reachable
B. Run a public exploit to prove remote command execution
C. Close the finding because a reverse proxy is present
D. Report the finding as confirmed because severity is critical
Best answer: A
Explanation: A vulnerability finding is uncertain when the scanner’s evidence does not prove that the vulnerable condition exists on the tested target. Here, the scanner inferred a critical RCE from HTTP headers, but the application is behind a reverse proxy and no endpoint-specific proof is shown. The safest next step is to gather non-destructive validation evidence, such as confirming the actual framework/package version through approved authenticated access, application metadata, or vendor-safe checks that show the vulnerable component is reachable. Severity alone does not make a finding confirmed, and a reverse proxy does not automatically make it false. The key takeaway is to improve evidence quality without exceeding the rules of engagement.
Topic: Attacks and Exploits
During an authorized web application penetration test, the objective is to validate whether an authentication bypass finding from a scanner is exploitable. After two safe validation attempts, the application’s WAF blocks the tester’s source IP. The rules of engagement prohibit evasion techniques and require client approval before changing source IPs or disabling controls. What should the tester do next?
Options:
A. Rotate to a different approved testing IP
B. Tune requests to bypass the WAF signature
C. Document the block and request client-approved guidance
D. Report the scanner finding as fully exploited
Best answer: C
Explanation: When a defensive control blocks testing before the objective can be validated, the professional response is to stop the blocked path, document what happened, and use the approved communication or escalation process. The tester should capture the attempted validation, WAF response, timestamps, and affected target, then ask the client whether to whitelist, temporarily adjust the control, accept the control as compensating evidence, or treat the issue as unvalidated. Because the rules of engagement prohibit evasion and require approval for source or control changes, bypassing the WAF or switching IPs would create unauthorized risk. The key is not to overstate the finding or exceed authorization.
Topic: Reconnaissance and Enumeration
A penetration tester is reviewing two authorized scan summaries for the same in-scope host. Which interpretation is best supported by the exhibit?
Exhibit: Scan summaries
| Summary | Findings |
|---|---|
| Scan A | TCP 22 SSH, TCP 443 HTTPS, TCP 25 SMTP; service banners collected |
| Scan B | OpenSSL CVE match on HTTPS; weak TLS cipher; SMTP open relay check failed |
Options:
A. Both scans prove exploitation because both include service details.
B. Both scans are protocol scanning because both reference network services.
C. Scan A is vulnerability scanning; Scan B is protocol scanning.
D. Scan A is protocol scanning; Scan B is vulnerability scanning.
Best answer: D
Explanation: Protocol scanning is intended to reveal what communication protocols, ports, and services are exposed, often including banners or service versions. In the exhibit, Scan A answers, “What is listening on this host?” Vulnerability scanning uses discovered service information and checks it against known weaknesses, misconfigurations, or security tests. Scan B goes further by reporting a CVE match, weak TLS cipher, and an SMTP relay check result. Service details can support later vulnerability analysis, but they do not by themselves prove a vulnerability or exploitation.
Topic: Vulnerability Discovery and Analysis
During an external penetration test, an unauthenticated scanner reports a critical Apache Struts remote code execution issue on https://payments.example.com. The evidence shows only an Apache-Coyote header and a matching generic 404 response. The rules of engagement prohibit exploit attempts against production, and the report is due today. What is the BEST professional decision?
Options:
A. Remove the finding because exploitation was not performed
B. Report the finding as unconfirmed pending component/version evidence
C. Mark the finding as verified because the scanner rated it critical
D. Run a public proof-of-concept to confirm exploitability
Best answer: B
Explanation: A vulnerability finding is uncertain when the evidence does not prove the vulnerable technology, version, or condition exists. Here, Apache-Coyote suggests a Java application server connector, but it does not confirm Apache Struts or a vulnerable Struts version. Because exploit attempts are prohibited against production, the professional approach is to preserve the finding as unconfirmed and request safer validation evidence, such as authenticated configuration details, application inventory, dependency records, or stakeholder confirmation. This keeps the report accurate without exceeding authorization. Scanner severity alone is not proof, but lack of exploit execution also does not justify deleting a plausible risk.
Topic: Vulnerability Discovery and Analysis
A penetration tester is reviewing Nikto-style output for an authorized test of an in-scope HTTPS customer portal. The rules of engagement allow non-destructive validation but prohibit downloading backup archives or brute-forcing paths. The client asked that the report clearly separate actionable findings from informational observations.
+ Target: https://portal.example.com/
+ Server: Apache/2.4.58 (Ubuntu)
+ /robots.txt: contains 3 entries, includes /admin/
+ /admin/: returned 401 Unauthorized
+ Cookie SESSIONID created without the Secure flag
+ /backup/config-old.zip: 200 OK, application/zip, 4.8 MB
+ X-Frame-Options header is not present
What is the BEST professional decision?
Options:
A. Prioritize the exposed backup, flag cookie/header issues, and mark the rest informational
B. Ignore all results until a second scanner confirms them
C. Download the backup archive to inspect it for secrets
D. Report every Nikto line as an actionable high-risk vulnerability
Best answer: A
Explanation: Nikto output often mixes true findings, hardening gaps, and observations. In this case, a publicly reachable backup archive with 200 OK is an actionable exposure and should be prioritized without downloading it. A session cookie missing the Secure flag and a missing anti-clickjacking header are also reportable control weaknesses, typically with lower severity unless more impact is shown. The server banner, robots.txt entries, and a 401 Unauthorized admin path are useful context but are not vulnerabilities by themselves. The professional approach is to preserve evidence, avoid prohibited validation, and communicate severity based on demonstrated risk.
robots.txt entries and a protected admin path.Topic: Vulnerability Discovery and Analysis
A penetration tester is preparing the findings section for a vulnerability assessment. An authenticated scan identified an end-of-life web framework on an internal claims portal, and the vendor advisory maps it to a critical CVE. The rules of engagement prohibit exploit attempts against this production portal, the testing window has closed, and network controls limit access to VPN users only. Stakeholders ask whether the finding proves immediate exploitability. What is the BEST professional decision?
Options:
A. Run a proof-of-concept after hours to confirm impact
B. Remove the finding because VPN access reduces exposure
C. State that exploitation was proven because the CVE is critical
D. Frame it as residual risk with evidence and retest guidance
Best answer: D
Explanation: Vulnerability management evidence should be framed as residual risk when it shows an unresolved weakness but does not demonstrate successful exploitation. Here, the authenticated scan, end-of-life framework, and critical CVE support reporting a valid risk. However, the rules of engagement prohibited exploit attempts, the testing window is closed, and access is limited by VPN controls. The professional report should distinguish confirmed exposure from unproven exploitability, document the evidence, note compensating controls, recommend remediation, and propose authorized retesting. This avoids overstating proof while still communicating business risk clearly.
Topic: Attacks and Exploits
During an authorized internal penetration test, the tester connects to the corporate guest wireless network. The rules of engagement allow network discovery but prohibit credential attacks and service exploitation. Evidence shows the guest subnet can initiate TCP connections to SMB and RDP services on finance workstations, although no authentication was attempted. The business requires guest Wi-Fi to remain available for internet access. Which remediation direction is the BEST professional recommendation?
Options:
A. Remove the guest wireless network entirely
B. Perform password spraying against finance accounts
C. Segment guest Wi-Fi from internal subnets with restrictive ACLs
D. Disable SMB and RDP on all finance workstations
Best answer: C
Explanation: The demonstrated weakness is inadequate network segmentation: a low-trust guest network can directly reach sensitive internal services. Because the tester has sufficient connectivity evidence and the ROE prohibits credential attacks or exploitation, the professional recommendation should focus on secure network configuration rather than further attack activity. A strong remediation direction is to place guest Wi-Fi in a separate segment and enforce restrictive firewall or ACL rules that allow only required services, such as internet egress and supporting infrastructure like DNS or DHCP. This preserves the business need for guest access while reducing lateral movement risk.
Topic: Attacks and Exploits
During an authorized API test, a penetration tester confirms that a basic customer account can change the invoiceId parameter and retrieve another customer’s invoice metadata. The ROE prohibits accessing additional customer records, and the client asks for the BEST remediation recommendation that directly strengthens the failed control without relying on obscurity.
Options:
A. Add a WAF rule to block modified invoice parameters
B. Replace sequential invoice IDs with random UUID values
C. Hide the invoice ID field from the web interface
D. Enforce server-side object-level authorization for each invoice request
Best answer: D
Explanation: The evidence shows an authorization control failure, not merely a predictable identifier problem. The application accepted a user-controlled object reference and returned another customer’s data because the server did not verify whether the authenticated user was allowed to access that specific invoice. A strong remediation is to enforce object-level authorization on every relevant API request using trusted server-side account, tenant, or ownership mappings. Random identifiers can reduce guessing, but they do not prove access rights. UI changes and WAF rules are also insufficient because API clients can still send modified requests. The key takeaway is to fix the access decision at the application authorization layer.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, you obtained shell access to an in-scope development server. A deployment script contains a plaintext password for an enabled service account. The rules of engagement allow reviewing local files but prohibit using discovered credentials without written approval. IAM logs provided by the client show no successful sign-ins for that account in the last 30 days. The business owner asks whether the account was misused. What is the BEST professional decision?
Options:
A. Report confirmed account compromise
B. Use the password to validate access
C. Report identity exposure risk, not confirmed misuse
D. Exclude the finding because logs show no sign-ins
Best answer: C
Explanation: Identity exposure and identity misuse require different evidence standards. Finding a plaintext password for an enabled account is enough to report a credential or identity exposure risk, especially because it could support lateral movement if an attacker obtains it. However, confirmed misuse requires evidence such as unauthorized successful authentication, activity performed by the account, or corroborating logs. The rules of engagement also prohibit using discovered credentials without written approval, so the tester should not create new activity just to prove impact. The professional response is to document the exposed secret, state the evidence limitations, recommend rotation and access review, and avoid overstating the finding as confirmed compromise.
Topic: Engagement Management
A penetration tester is reviewing two draft report excerpts before sending the final report. Which interpretation best classifies the excerpts based on audience, detail level, and decision purpose?
Exhibit: Draft excerpts
| Excerpt | Text |
|---|---|
| A | The customer portal risk could expose invoice data and create compliance exposure. Leadership should approve immediate remediation before the partner launch and schedule a retest. |
| B | The GET /api/v2/invoices/{id} endpoint allowed an authenticated user to view another tenant’s invoice by changing the object identifier. Evidence, affected role, likely root cause, and remediation steps are documented. |
Options:
A. Both excerpts are executive summaries.
B. A is an executive summary; B is a technical finding.
C. A is a technical finding; B is an executive summary.
D. Both excerpts are technical findings.
Best answer: B
Explanation: An executive summary is written for leadership and focuses on business impact, risk priority, and decisions the organization needs to make. Excerpt A avoids implementation detail and frames the issue around exposure, compliance concern, launch timing, remediation approval, and retesting. A technical finding is written for technical stakeholders and includes concrete evidence, affected components, conditions, root cause, and remediation guidance. Excerpt B names the endpoint, access condition, observed behavior, and implementation-level follow-up. The key distinction is not whether the issue is serious; it is whether the wording supports executive decision-making or technical remediation.
Topic: Attacks and Exploits
During an authorized internal penetration test, a tester on the standard employee VLAN can reach database listener ports and SSH management interfaces in the server VLAN. The rules of engagement allow validation by connection testing only, and the client states employees need access only to the web application on TCP/443. Which remediation direction best addresses the demonstrated weakness?
Options:
A. Perform credential attacks against the exposed SSH services
B. Disable ICMP replies on servers in the server VLAN
C. Add firewall rules between VLANs to allow only required application traffic
D. Replace SSH banners with generic service messages
Best answer: C
Explanation: The core issue is insufficient network segmentation. The tester demonstrated that a normal employee network can directly reach sensitive server and management services that are not required for business use. Because the client needs only HTTPS access to the web application, remediation should restrict traffic between VLANs to the minimum required paths, typically with firewall rules, router ACLs, or microsegmentation controls. This reduces attack paths without requiring disruptive exploitation.
Disabling ping or changing banners may reduce visibility, but neither prevents access to the exposed services. Additional attacks would increase risk and are outside the stated validation approach.
Topic: Attacks and Exploits
A penetration tester is assessing internet-facing exposure for a client. The client provides an internal software inventory showing an admin service running a version affected by a known remote code execution CVE. The rules of engagement prohibit running exploit code and authorize testing only from the tester’s external IP range. Which validation step best determines whether exploitation is feasible?
Options:
A. Report the CVE based only on inventory evidence.
B. Check external reachability to the affected admin service.
C. Request the complete patch history for the server.
D. Run a proof-of-concept exploit in the next window.
Best answer: B
Explanation: Exploit feasibility is not determined by the vulnerable version alone. In this scenario, the inventory already suggests a susceptible version, but the authorized test perspective is external and exploit code is prohibited. The most important safe validation is whether the affected service is reachable from the allowed external source. If a firewall, VPN restriction, or access control prevents network access to the vulnerable service, practical exploitability from the tested path is reduced even though the software may still require remediation. Version and patch evidence help confirm susceptibility, but reachability controls whether an attacker can interact with the vulnerable component.
Topic: Engagement Management
During an external penetration test, a tester discovers a development API that appears related to the client but was not listed in the approved targets. Which collaboration step should the tester take next?
Exhibit:
Rules of engagement excerpt
In scope: www.example-corp.com, 203.0.113.0/28
Newly discovered assets: require written confirmation before testing
Sensitive details: share only minimized, redacted evidence
Approved contacts: engagement manager and client technical POC
Finding: dev-api.example-corp.net resolves to 198.51.100.42
Banner: "Example Corp Dev API"
Options:
A. Contact the hosting provider to verify the asset owner
B. Ask the approved POC to confirm ownership using redacted evidence
C. Send the full discovery output to all client executives
D. Continue testing because the banner names the client
Best answer: B
Explanation: The core concept is scope-safe stakeholder collaboration. The asset appears related to the client, but it is outside the listed targets and IP range. The rules of engagement explicitly require written confirmation before testing newly discovered assets and limit sensitive detail sharing to minimized, redacted evidence. The best next step is to use the approved escalation path and ask the client technical POC, typically with the engagement manager included, to confirm ownership and authorization before any further testing. This confirms the tester’s assumption without unnecessarily disclosing raw outputs, screenshots, tokens, or other sensitive details. A client-looking banner is not enough to expand scope.
Topic: Reconnaissance and Enumeration
During passive reconnaissance for an authorized external assessment, a tester finds a cloud-hosted login page that uses the client’s logo and naming pattern. The tester must decide how to classify it before taking any active steps.
Exhibit: Scope and evidence
| Item | Detail |
|---|---|
| In-scope targets | examplecorp.com, 203.0.113.0/28 |
| Found asset | examplecorp-portal.cloudapp.example |
| Evidence | Logo match; page title: “ExampleCorp Partner Portal” |
| Ownership | Cloud account owner not visible; DNS not under examplecorp.com |
| ROE note | Test only confirmed client-owned assets; escalate uncertain ownership |
Options:
A. Add it to the target list because branding confirms ownership
B. Treat it as a likely lead and request scope confirmation
C. Run an unauthenticated scan to determine ownership
D. Report it as an out-of-scope third-party system
Best answer: B
Explanation: A reconnaissance lead is not the same as a confirmed target. The exhibit provides weak relevance evidence, such as branding and a matching page title, but it does not prove client ownership or authorization. The rules of engagement list specific in-scope targets and require escalation when ownership is uncertain. In this situation, the professional next step is to document the finding as a likely lead and ask the client or engagement lead to confirm scope before any active testing. Branding alone can be copied, hosted by a partner, or placed on a third-party platform. The key takeaway is to separate discovery clues from authorization-grade evidence.
Topic: Reconnaissance and Enumeration
A penetration tester is reviewing a helper script for an authorized external enumeration task. The rules of engagement allow passive OSINT and noninvasive requests to approved company-owned hosts only. The report must include reproducible evidence of exposed services, but credential attacks, exploit attempts, and third-party targets are out of scope.
Which script behavior best supports the requirement?
Options:
A. Submit traversal strings to verify exposed file access
B. Test common default passwords on discovered login pages
C. Follow all external links to map partner-hosted assets
D. Record status codes, headers, titles, and timestamps for approved hosts
Best answer: D
Explanation: Safe reconnaissance scripts should support evidence collection while staying within authorization. In this scenario, the script may make noninvasive requests only to approved company-owned hosts, so collecting response metadata such as status codes, headers, page titles, and timestamps is appropriate. That information helps document exposed services and makes findings reproducible without attempting authentication, exploitation, or expanding the target set. The deciding factor is not whether the behavior might find more issues; it is whether the behavior satisfies the evidence requirement while honoring the rules of engagement.
Topic: Vulnerability Discovery and Analysis
A penetration tester is planning vulnerability scans for an internal assessment. The rules of engagement authorize read-only local credentials for 12 critical servers, but no credentials are approved for the remaining in-scope hosts. The client wants high-confidence patch and configuration findings for remediation planning, and scanning must avoid exploit validation. Which approach is the BEST professional decision?
Options:
A. Run only unauthenticated scans to keep results consistent
B. Validate uncertain findings by attempting safe exploitation
C. Run authenticated scans on the 12 approved servers and unauthenticated scans on the rest
D. Use the approved credentials across all in-scope hosts
Best answer: C
Explanation: Authenticated scanning uses approved credentials to inspect local patch state, installed software, configuration settings, and registry or package data that may not be visible from the network. That usually increases finding confidence and reduces banner-based false positives. Unauthenticated scanning is still appropriate where credentials are not authorized, but its results often depend on exposed services, banners, and network-visible behavior. In this scenario, the best strategy is to use authenticated scans only on the servers explicitly authorized for credentialed testing and unauthenticated scans on the remaining in-scope hosts. The report should distinguish confidence levels so remediation owners understand which findings were directly verified versus inferred.
Topic: Vulnerability Discovery and Analysis
A tester is preparing findings from an external vulnerability assessment. The client wants confirmed vulnerabilities in the main report and uncertain scan results tracked separately. Which reporting conclusion is best supported by the evidence?
Exhibit: Finding evidence
| Evidence | Detail |
|---|---|
| Scanner result | Critical CMS RCE; matched only Server header |
| Validation | Authenticated check unavailable; safe PoC prohibited by ROE |
| Manual check | CMS admin path returns 404; app behind reverse proxy |
| Owner note | Backend package has vendor backported fixes |
Options:
A. Downgrade to low based on the 404 response.
B. Report as a confirmed critical RCE.
C. Document as unvalidated pending authenticated verification.
D. Remove the item as a false positive.
Best answer: C
Explanation: A finding should be documented as unvalidated when the available evidence is insufficient to prove the vulnerability and the tester cannot safely validate it within the rules of engagement. Here, the scanner relied only on a banner, authenticated verification is unavailable, and exploit proof-of-concept testing is prohibited. The 404 response and reverse proxy reduce confidence, but they do not prove the issue is absent. The owner’s backport note is useful context, but it still needs package-level or authenticated confirmation. This is not a severity downgrade because the vulnerability itself has not been validated. The best reporting treatment is to separate it from confirmed findings and request verification or retesting.
Topic: Reconnaissance and Enumeration
A penetration tester runs an approved reconnaissance helper script against the client’s scoped domain. Based on the script output, what information did the script gather?
Exhibit: Script output
Target domain: examplecorp.test
_discover._tcp.examplecorp.test TXT "owner=platform-team"
api.examplecorp.test CNAME api-gw.us-east.example.net
vpn.examplecorp.test A 203.0.113.42
mail.examplecorp.test MX 10 mailsec.examplecorp.test
Options:
A. DNS records and service ownership hints
B. Cloud IAM roles and attached policies
C. Open ports and detected service versions
D. Web directory names and HTTP status codes
Best answer: A
Explanation: The script output is a DNS-focused reconnaissance result. It shows record types such as TXT, CNAME, A, and MX, which identify hostnames, address mappings, mail routing, and a text-based ownership hint. The owner=platform-team value is identity or ownership context for a discovered service record, while api, vpn, and mail names are asset or service leads. Nothing in the exhibit shows port scanning, web crawling, HTTP responses, or cloud identity policy enumeration. The best interpretation is that the script gathered DNS asset/service information plus an ownership hint useful for scoping and follow-up validation.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, you obtain a low-privileged shell on APP-02. Which post-exploitation objective is explicitly supported by the rules of engagement?
Exhibit: Rules-of-engagement excerpt
| Item | Scope fact |
|---|---|
| In-scope host | APP-02 only |
| Approved post-access actions | Identify current user, hostname, local privilege context, and non-sensitive configuration paths |
| Approved proof | Create a benign marker file in /tmp |
| Prohibited actions | Credential dumping, persistence, lateral movement, and customer data access |
Options:
A. Document local context and create the approved proof marker
B. Install a temporary startup task to prove persistence
C. Dump password hashes to validate privilege escalation risk
D. Pivot from APP-02 to adjacent database servers
Best answer: A
Explanation: Post-exploitation objectives must be selected from what the rules of engagement explicitly authorize, not from what is technically possible after access is gained. Here, the scope allows activity only on APP-02 and permits limited local context collection plus a benign proof marker. That supports documenting the current user, hostname, local privilege context, and non-sensitive configuration paths while creating the approved marker file. Actions such as credential dumping, lateral movement, persistence, or accessing customer data are specifically prohibited, even if they might demonstrate additional impact. The key takeaway is to align post-exploitation work with both target scope and approved objective boundaries.
Topic: Reconnaissance and Enumeration
A penetration tester is preparing for an external assessment of a company that is finalizing legal approval. The signed pre-engagement documents allow planning and public-source research, but they do not yet authorize traffic to company-owned IP ranges or login attempts against hosted services. The client wants early insight into exposed assets with minimal operational risk. Which approach should the tester use first?
Options:
A. Attempt password spraying against public login portals
B. Run a full TCP port scan against discovered ranges
C. Launch an unauthenticated vulnerability scan
D. Perform passive OSINT from public sources
Best answer: D
Explanation: Passive reconnaissance is the best first step when authorization is limited or operational risk must remain low. In this scenario, the tester is allowed to perform planning and public-source research, but is not yet authorized to send traffic to client IP ranges or test hosted services. Public records, search engine results, certificate transparency logs, job postings, code repositories, and other OSINT sources can identify likely domains, technologies, subsidiaries, and exposed assets without touching the client’s infrastructure. Once explicit authorization is granted, active enumeration and validation can follow within the rules of engagement. The key distinction is whether the activity interacts with target systems; here, non-intrusive collection is required first.
Topic: Reconnaissance and Enumeration
A tester is preparing for an external penetration test. The signed rules of engagement allow passive reconnaissance immediately, but active probing of the client’s environment is authorized only during a 4-hour window on Saturday. The client wants a preliminary list of likely internet-facing assets today without any packets sent to its hosts or DNS servers. Which action is the BEST professional decision?
Options:
A. Attempt DNS zone transfers from authoritative name servers.
B. Run a limited Nmap scan against the approved CIDR range.
C. Send HTTP banner requests only to known web servers.
D. Review public CT logs, WHOIS records, and cached search results.
Best answer: D
Explanation: Passive reconnaissance gathers information without directly interacting with the target environment. In this scenario, the rules allow passive work now but reserve any direct probing of client-controlled hosts or DNS servers for the Saturday testing window. Public certificate transparency logs, WHOIS data, and cached search results can support a preliminary asset list while respecting that boundary. Active reconnaissance includes actions that send traffic to target-controlled systems to elicit responses, even if the requests seem low impact or limited in scope.
The key distinction is not whether the activity is noisy; it is whether the tester directly probes the target environment.
Topic: Attacks and Exploits
During an authorized web application test, a tester validates authentication controls only against assigned test accounts. No password is guessed successfully. Which reporting conclusion is best supported by the exhibit?
Exhibit: Test notes
Rules of engagement:
- Test accounts only: pt_user01, pt_user02, pt_user03
- Stop authentication testing if any account is locked or disabled
Observed result:
- pt_user02 received 5 invalid login attempts in 2 minutes
- Login response changed from "invalid password" to "account locked"
- Admin console shows: "pt_user02 requires administrator reset"
- No successful login occurred
Options:
A. Report an account lockout denial-of-service risk
B. Continue testing other accounts to confirm scale
C. Omit the issue because exploitation failed
D. Report successful credential compromise
Best answer: A
Explanation: A finding can be reportable when control behavior creates measurable security or availability impact, even if the original exploit goal is not completed. Here, authentication testing did not produce a valid login, but it did lock a valid test account and require administrator reset. Because the rules of engagement explicitly require stopping when an account is locked, the tester should preserve the evidence and report the denial-of-service risk caused by the lockout behavior. The report should distinguish this from credential compromise and include the observed scope, impact, and remediation direction such as lockout tuning, monitoring, or self-service recovery controls.
Topic: Vulnerability Discovery and Analysis
A penetration tester is triaging findings that all appear to support the same business-impact scenario: unauthorized access to customer order data. The rules of engagement allow non-destructive validation only and prohibit password attacks or exploit execution against database hosts. The testing window has 2 hours remaining.
| Finding | Evidence | Constraint |
|---|---|---|
| API order lookup injection | High-confidence DAST result; response changed using a test order ID | Internet-facing and in scope |
| Database host RCE | Scanner plugin match; version not confirmed | Exploit validation prohibited |
| Admin credential reuse | Weak policy observed | Password attacks prohibited |
| Stored XSS in profile | Confirmed with a test account | Requires admin interaction |
Which finding should be validated first?
Options:
A. API order lookup injection
B. Stored XSS in profile
C. Admin credential reuse
D. Database host RCE
Best answer: A
Explanation: When several findings appear to enable the same attack path, validate the finding that best combines business impact, exploitability, confidence, and authorization fit. Here, the API injection is externally reachable, already has high-confidence evidence, maps directly to customer order data, and can be checked with a safe non-destructive test. That makes it the best first validation target because it can quickly confirm or refute the most direct path without exceeding the rules of engagement.
The key triage idea is not simply “highest severity.” A finding that cannot be safely validated, lacks evidence, or depends on prohibited activity should not be first even if it sounds severe.
Topic: Post-Exploitation and Lateral Movement
During an authorized internal penetration test, the rules of engagement allow limited post-exploitation validation but require the client’s system owner to perform final cleanup. The tester created a temporary local user, uploaded a benign validation file, added an SSH key for testing, and changed one service setting to prove impact. Which artifact documentation best supports cleanup and restoration?
Options:
A. Document only the confirmed vulnerability and business impact
B. Provide tool names and screenshots from exploitation validation
C. Record each created or changed item with host, path or setting, timestamp, and restore action
D. Remove all artifacts immediately without notifying the system owner
Best answer: C
Explanation: Post-exploitation cleanup documentation should make restoration repeatable and auditable. When the client owns final cleanup, the tester should record artifacts introduced or changed during testing, including accounts, keys, files, configuration changes, timestamps, affected systems, and recommended restore or removal actions. This supports evidence quality while preventing orphaned access paths or configuration drift after the engagement. Vulnerability impact and screenshots may belong in the report, but they do not provide enough operational detail for cleanup.
Topic: Engagement Management
A penetration tester is about to begin active testing. The rules of engagement authorize only app.example.com and 203.0.113.20/30, allow testing from 22:00-04:00 UTC, and prohibit password spraying and denial-of-service testing. Passive recon identifies portal-staging.example.com on a cloud IP outside the listed range. A help desk analyst says it is “probably ours” and asks the tester to “check it if easy.” Which action is the BEST professional decision?
Options:
A. Perform a nonintrusive banner grab to confirm ownership.
B. Scan it during the approved testing window only.
C. Test it only with the provided application account.
D. Do not test it; request written scope authorization from the engagement POC.
Best answer: D
Explanation: Scope authorization controls what a penetration tester may actively test, even when a discovered asset appears related to the client. In this scenario, the rules of engagement list specific targets and a testing window, but portal-staging.example.com resolves outside the authorized range and is not named as an approved target. The help desk analyst’s informal statement does not expand scope unless that person is the designated authority and the change is documented. The professional action is to preserve the evidence, avoid active interaction with the out-of-scope host, and request a written scope update or clarification from the engagement point of contact. The testing window and allowed account matter only for systems already in scope.
Topic: Reconnaissance and Enumeration
A penetration tester is reviewing identity enumeration evidence for an authorized engagement. The rules of engagement permit passive OSINT and non-authenticating checks only; password attempts and role-assumption tests are not authorized. Which conclusion is most defensible for the recon notes?
| Evidence type | Result |
|---|---|
| Tenant metadata | acme.example is a verified domain and redirects to sso.acme.example |
| Account checks | j.smith@acme.example and helpdesk@acme.example redirect to organization sign-in |
| Control check | notarealuser123@acme.example returns user not found |
| OSINT | A public wiki mentions Cloud Admins, but no member list is visible |
Options:
A. Admin role membership should be validated by attempting common passwords.
B. The tenant is federated, two UPNs likely exist, and role membership is unconfirmed.
C. Identity enumeration is blocked because the control account was not found.
D. The Cloud Admins group is confirmed to include j.smith@acme.example.
Best answer: B
Explanation: Identity enumeration conclusions should match the strength of the evidence and the engagement limits. The tenant metadata supports that acme.example is tied to a federated identity provider. The different responses for likely users versus the control account support a conclusion that the tested UPNs probably exist. However, a public mention of a group name does not prove membership, and the rules of engagement prohibit password attempts or role-assumption testing. The defensible report language should separate confirmed tenant behavior, likely account validity, and unconfirmed privilege claims.
Topic: Attacks and Exploits
A penetration tester is reviewing evidence from an authorized test of a customer portal hosted in a cloud environment. Which reporting conclusion is best supported by the exhibit?
Exhibit: Evidence summary
| Evidence | Observation |
|---|---|
| Direct object URL | Unauthenticated request returned 200 OK |
| Web app session | Expired before the direct request |
| App logs | No portal request logged for the object access |
| Resource policy | Principal: *, Action: storage:GetObject, Resource: client-invoices/* |
Options:
A. SQL injection in the file retrieval workflow
B. Broken access control in the portal application
C. Metadata service exposure through server-side request forgery
D. Public object access from a cloud resource policy misconfiguration
Best answer: D
Explanation: The decisive evidence is the resource policy allowing Principal: * to perform storage:GetObject on the invoice objects, combined with successful unauthenticated direct access and no corresponding portal log entry. That indicates the exposure is controlled by cloud configuration/IAM-style policy, not by application session logic. An application-layer access-control issue would usually require evidence that the portal accepted an unauthorized request, mishandled object ownership, or exposed another user’s file through its own routes. Here, the application was bypassed entirely because the storage resource was publicly readable. The report should classify the weakness as a cloud control-plane/resource policy misconfiguration and describe the data exposure impact.
Topic: Reconnaissance and Enumeration
A penetration tester is preparing for an external assessment. The authorization letter is signed, but the rules of engagement state that active probing may begin only after the client approves the final target list next week. The client also warns that its production storefront is experiencing peak traffic and asks for a low-risk way to identify likely internet-facing assets for scope confirmation. What is the BEST professional decision?
Options:
A. Run a limited port scan against likely company domains
B. Start an unauthenticated vulnerability scan during off-peak hours
C. Perform passive OSINT and submit candidate assets for approval
D. Test login portals with a small credential-spraying attempt
Best answer: C
Explanation: Passive reconnaissance is the right first step when authorization or operational risk does not support direct interaction with target systems. In this scenario, the active testing window has not started, the final target list is not approved, and a production storefront is under peak load. Public sources such as search results, certificate transparency logs, public DNS records, WHOIS/RDAP data, job postings, and third-party exposure databases can help build a candidate asset list without sending probes to the client environment. The results should be shared with the client for ownership and scope confirmation before active enumeration begins. Any direct scanning or authentication testing would exceed the current rules of engagement.
Use the CompTIA PenTest+ PT0-003 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA PenTest+ PT0-003 on Web View CompTIA PenTest+ PT0-003 Practice Test
Read the CompTIA PenTest+ PT0-003 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.