PT0-003 Dumps with Practice Exam Questions Answers

Lateral Movement with PsExec:

PsExec is a tool used for executing processes on remote systems.

The command enables the tester to execute cmd.exe on the target host (server01) to achieve lateral movement and potentially escalate privileges.

Why Not Other Options?

A: The command is not testing connectivity; it is executing a remote command.

C: PsExec does not send its binary; it executes commands on remote systems.

D: The command is not enabling cmd.exe; it is using it as a tool for executing commands remotely.

CompTIA Pentest+ References:

Domain 3.0 (Attacks and Exploits)

The command uses find / -type f -ls to traverse the filesystem from the root directory and list every file while outputting extended metadata similar to a long listing. This includes key attributes such as owner, group, permissions (mode bits), size, timestamps, and full path. In PenTest+ post-exploitation and local enumeration practices, collecting this information supports permission enumeration—identifying files that are misconfigured (for example, world-writable or group-writable), sensitive files with overly broad read access, or binaries with special permissions (such as SUID/SGID) that can enable privilege escalation. Writing the results to /tmp/recon.txt preserves the data for offline review and filtering (e.g., searching for writable directories, credential files, configuration files, or unexpected permission patterns).

This is not primarily secrets enumeration because the command does not read file contents or search for tokens/password strings. It is not user enumeration (which focuses on accounts, groups, sudo rules, and login artifacts) and not service enumeration (which targets running processes, listening ports, and service configurations). The direct goal is mapping permissions across the filesystem.

CrackMapExec (CME) is the best choice because it supports authenticated enumeration against Active Directory and can retrieve domain configuration information—including password policy details—using valid domain credentials. In the PenTest+ methodology, once a tester has a standard domain account, a common next step is to enumerate domain settings that influence attack feasibility and safety, such as minimum password length, complexity requirements, lockout threshold, lockout duration, and password history. These values directly inform how to build a “policy-aware” custom wordlist and how to tune dictionary or spraying attempts to remain within rules of engagement and avoid triggering lockouts.

Responder is primarily used for LLMNR/NBT-NS poisoning and capturing or relaying authentication on local networks; it does not query AD policy as its main function. Hydra is a login brute-force tool that performs attacks, not policy retrieval. msfvenom is a payload generator used for exploitation and post-exploitation delivery, unrelated to enumerating AD password policy. Therefore, CME is the most appropriate tool to retrieve the password policy for informed dictionary construction.

The key detail in the Nmap scan output is that port 2222/tcp is open and running the SSH service. The standard SSH port is 22, so if the tester was attempting to connect on port 22, they would not succeed because SSH is instead listening on port 2222.

This is a common security hardening tactic—moving services to non-standard ports to reduce automated attacks.

There is no indication that the service is blocked (B), or requires certificates (C), or is inactive (D), because Nmap clearly shows the service is open and identified.

CompTIA PenTest+ Reference:

PT0-003 Objective 3.3: Analyze tool output or data related to engagement activities.

Nmap usage and interpreting scan results is emphasized in multiple sections.

The correct answer is B. Provide the customer with a list of the changes made.

At the end of a penetration test, the tester must support post-engagement cleanup and restoration. To verify that exploited systems have been returned to their original state, the tester should provide the customer with a complete list of changes made during the engagement. This allows the client to confirm that all modifications, deployed tools, payloads, accounts, configuration changes, scripts, files, and other artifacts have been removed or restored appropriately.

A is incorrect because terminating a command-and-control payload addresses only one possible artifact. It does not verify that all exploited systems have been restored to preengagement conditions.

C is incorrect because restoring environment variables may be part of cleanup, but it is too narrow and only applies if environment variables were changed.

D is incorrect because reimaging a system is disruptive and may not be necessary. It should only be done if required by the client’s recovery process or if restoration cannot be otherwise verified.

In PenTest+ terms, this falls under Reporting and Communication, specifically post-engagement cleanup, restoration validation, documentation of changes, and client handoff.