CompTIA Updated PT0-003 Exam Questions and Answers by dean

The correct answer is B. ssh compromised_user@victimhost " sudo -l "

The output shown in the question is produced by the sudo -l command, which lists the commands a user is allowed to run with elevated privileges.

The key finding is:

root (NO PASSWD): /bin/vim

This means compromised_user can run /bin/vim as root without entering a password. That is a local privilege escalation risk because vim can be abused to execute commands with elevated privileges when permitted through sudo.

To validate whether another host has the same weakness, the tester should enumerate that user’s sudo privileges on the other host:

ssh compromised_user@victimhost " sudo -l "

A is incorrect because running vim only confirms that the program can execute, not that it can be run as root through sudo.

C is incorrect because running bash -c vim only starts vim through Bash and does not validate sudo permissions.

D is incorrect because listing /bin/vim only confirms the file exists and shows file permissions. The vulnerability is the sudo misconfiguration, not the presence of the vim binary.

When the client indicates that the scope ' s hosts and assets are not included in the vulnerability scan results, it suggests that the tester may have missed discovering all the devices in the scope. Here’s the best course of action:

Performing a Discovery Scan:

Purpose: A discovery scan identifies all active devices on the network before running a detailed vulnerability scan. It ensures that all in-scope devices are included in the assessment.

Process: The discovery scan uses techniques like ping sweeps, ARP scans, and port scans to identify active hosts and services.

Comparison with Other Actions:

Rechecking the Scanner Configuration (A): Useful but not as comprehensive as ensuring all hosts are discovered.

Using a Different Scan Engine (C): Not necessary if the issue is with host discovery rather than the scanner’s capability.

Configuring All TCP Ports on the Scan (D): Helps in detailed scanning but does not address missing hosts.

Performing a discovery scan ensures that all in-scope devices are identified and included in the vulnerability assessment, making it the best course of action.

======

Given a short assessment timeline and the need to identify hard-coded credentials in a large codebase, using an automated tool designed for this specific purpose is the most effective approach. Here’s an explanation of each option:

Run TruffleHog against a local clone of the application (Answer: A):

TruffleHog is a specialized tool that scans for hard-coded secrets such as passwords, API keys, and other sensitive data within the code repositories.

Effectiveness: It quickly and automatically identifies potential credentials and other sensitive information across thousands of files, making it the most efficient choice under time constraints.

Using dig with a wordlist to identify subdomains is an effective method for subdomain enumeration. The command cat wordlist.txt | xargs -n 1 -I ' X ' dig X.mydomain.com reads each line from wordlist.txt and performs a DNS lookup for each potential subdomain.

Command Breakdown:

cat wordlist.txt: Reads the contents of wordlist.txt, which contains a list of potential subdomains.

xargs -n 1 -I ' X ' : Takes each line from wordlist.txt and passes it to dig one at a time.

dig X.mydomain.com: Performs a DNS lookup for each subdomain.

Why This is the Best Choice:

Efficiency: xargs efficiently processes each line from the wordlist and passes it to dig for DNS resolution.

Automation: Automates the enumeration of subdomains, making it a practical choice for large lists.

Benefits:

Automates the process of subdomain enumeration using a wordlist.

Efficiently handles a large number of subdomains.

References from Pentesting Literature:

Subdomain enumeration is a critical part of the reconnaissance phase in penetration testing. Tools like dig and techniques involving wordlists are commonly discussed in penetration testing guides.

HTB write-ups often detail the use of similar commands for efficient subdomain enumeration.

Step-by-Step ExplanationReferences:

Penetration Testing - A Hands-on Introduction to Hacking

HTB Official Writeups

======