CompTIA Updated PT0-003 Exam Questions and Answers by ella-rose

Risk scoring is the report element that most directly enables an organization to prioritize remediation work because it translates technical findings into an ordered view of business risk. In PenTest+ reporting guidance, testers are expected to communicate not only what is vulnerable but also how severe the issue is and how likely it is to be exploited, often incorporating factors such as exploitability, impact, exposure, and the presence of compensating controls. This produces a defensible ranking that helps stakeholders decide what to fix first when time and resources are limited.

Proof of concept supports validation by demonstrating that exploitation is possible, but it does not inherently provide comparative urgency across multiple findings. An attack narrative explains the path the tester used to achieve objectives (useful for understanding chaining and scope impact), but it is typically descriptive rather than a prioritization mechanism. The executive summary is aimed at leadership-level communication and overall posture, yet it usually depends on underlying risk ratings to justify what should be addressed first. Therefore, risk scoring most directly drives remediation prioritization.

To perform credentialed scans on an Active Directory (AD) server, the scanner requires high-level access to retrieve system configuration, patch levels, and user rights. A Domain Administrator account ensures full visibility into domain resources and permissions, which is essential for a complete vulnerability assessment.

From the CompTIA PenTest+ PT0-003 Objectives – Domain 2.0: Information Gathering and Vulnerability Identification:

“Credentialed scans require administrative-level access on target systems to provide detailed insights into software versions, missing patches, and security settings.”

The script iterates through a list of target hosts and sends an HTTP request to a vulnerable endpoint (atod.php) with a parameter (execf=) that appears to trigger remote command execution on each device. The command being issued is echo " ssh-ed25519 ... " followed by an append redirection operator ( > > ) into a file under /root/authorized_users. The ssh-ed25519 string is the format of an SSH public key, and appending a public key into an “authorized users/keys” style file is a common persistence technique that allows the tester (or an attacker) to authenticate via SSH without knowing a password.

In PenTest+ terms, this is establishing persistence/backdoor access after exploitation by planting an authentication mechanism that can be reused later. It is not creating a bind shell (no listener is set up), not changing a root password (no passwd or hash modification is shown), and not generating keys for decryption (the key material is being written to an authorization file for access). The loop indicates the intent is to apply this across multiple affected devices.

Dnsenum is a tool specifically designed to gather information about DNS, including domain structure and associated IP addresses. Here’s why option A is correct:

Dnsenum: This tool is used for DNS enumeration and can gather information about a domain’s DNS records, subdomains, IP addresses, and other related information. It is highly effective for mapping out a target network’s domain structure.

Nmap: While a versatile network scanning tool, Nmap is more focused on port scanning and service detection rather than detailed DNS enumeration.

Netcat: This is a network utility for reading and writing data across network connections, not for DNS enumeration.

Wireshark: This is a network protocol analyzer used for capturing and analyzing network traffic but not specifically for gathering DNS information.

References from Pentest:

Anubis HTB: Shows the importance of using DNS enumeration tools like Dnsenum to gather detailed information about the target’s domain structure​​.

Forge HTB: Demonstrates the process of using specialized tools to collect DNS and IP information efficiently​​.

======