ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam PT0-002 All Questions

View all questions & answers for the PT0-002 exam
Go to Exam

Exam PT0-002 topic 1 question 213 discussion

Actual exam question from CompTIA's PT0-002
Question #: 213
Topic #: 1
[All PT0-002 Questions]

A penetration tester is conducting a penetration test and discovers a vulnerability on a web server that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell. Enumerating the server for privilege escalation, the tester discovers the following:



Which of the following should the penetration tester do NEXT?

  • A. Close the reverse shell the tester is using.
  • B. Note this finding for inclusion in the final report.
  • C. Investigate the high numbered port connections.
  • D. Contact the client immediately.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by cy_analyst at March 7, 2023, 9:36 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Snagggggin
3 months ago
Selected Answer: D
It is not the testers job to investigate potential compromises. That is beyond the scope of the assessment. D is correct.
upvoted 2 times
...
Nikamy
5 months, 2 weeks ago
Selected Answer: C
Investigate first. We need to be sure it is not a false positive.
upvoted 1 times
...
uselessscript
7 months, 2 weeks ago
Selected Answer: C
The penetration tester's whole job is to find vulnerabilities. If they find one, they document it and present it later. They don't need to contact the client immediately unless it's either been exploited or is being actively exploited, so it's not D.
upvoted 1 times
...
Etc_Shadow28000
9 months, 4 weeks ago
Selected Answer: C
C. Investigate the high numbered port connections. Explanation: The netstat output shows several established connections and listening ports, including some high-numbered ports. Investigating these connections can reveal more about the server’s activity, potentially uncovering more vulnerabilities or unusual activity that could be relevant for privilege escalation or understanding the server’s configuration and security posture.
upvoted 1 times
...
Hedwig74
1 year ago
investigate...you have a shell open already, could be yours...
upvoted 1 times
...
deeden
1 year, 1 month ago
Selected Answer: C
Agree with option C. Need to establish facts of true positive IoC first to communicate. Suspicious, yes, but does it immediately indicate IoC? I don't think you would want to be calling your client contact for every false-positive findings you encounter during the engagement.
upvoted 1 times
...
WANDOOCHOCO
1 year, 2 months ago
Selected Answer: D
should share this ASAP
upvoted 2 times
...
vazq77
1 year, 4 months ago
Selected Answer: D
for sure
upvoted 2 times
...
kips
1 year, 9 months ago
Selected Answer: D
I would go with D
upvoted 1 times
...
TheSkyMan
2 years ago
Selected Answer: D
My biggest concern about C being the answer is the pentester shouldn't be investigating anything if it's not in the SOW or ROEs. The pentester could compromise any forensics and delay remediation; they're not apart of the company's Incident Response Team. This finding should be reported immediately to the client as a possible compromise... just like the other questions have shown.
upvoted 4 times
biggydanny
2 years ago
I hear you but reading the question, this seems to be in scope but you do have a valid point
upvoted 2 times
...
biggydanny
2 years ago
The output of the netstat command shows active connections to and from the web server. The established connections on high numbered ports (58003, 40243, and 40252) are suspicious and should be investigated further. The penetration tester should attempt to identify the processes associated with those connections to determine if they are legitimate or if they represent an ongoing attack. Closing the reverse shell or contacting the client should not be done until the investigation is complete and the full extent of the compromise is understood. The finding should also be noted for inclusion in the final report.
upvoted 2 times
Slick0
9 months ago
The pentester is not being paid to investigate as a defender, thats the problem. This is simply not within the scope of his responsibilities, his SOW would likely state that he should report these findings of actual potential criminal activity immediately and not pursue and potentially compromise the investigation by enacting his own that his own pentesting company did not sanction or train him to do.
upvoted 2 times
...
...
...
[Removed]
2 years ago
Selected Answer: C
C. Investigate the high numbered port connections should be the NEXT step for the penetration tester. The netstat command output shows several established connections, including one to port 80, the default port for HTTP traffic. The other established connections are to high numbered ports, which could indicate a suspicious activity, such as a backdoor, a malware communicating with a command-and-control server, or a connection to a compromised system.
upvoted 3 times
[Removed]
2 years ago
Therefore, the penetration tester should investigate the high numbered port connections further to determine their purpose and whether they pose a threat to the system. This investigation could involve examining the processes associated with the connections, analyzing network traffic, or checking for indicators of compromise. After completing the investigation, the tester should note the findings for inclusion in the final report, along with any recommendations for remediation. The tester should also consider contacting the client immediately if the investigation reveals an ongoing attack or a significant risk to the system's security. Closing the reverse shell or contacting the client immediately may not be appropriate until the investigation of the established connections is complete.
upvoted 1 times
...
...
AaronS1990
2 years ago
"Exploiting the vulnerability allows the tester to open a reverse shell" Pretty sure that means he has already tested the ports and so shoud escalate it next
upvoted 1 times
...
lifehacker0777
2 years, 1 month ago
Selected Answer: C
Given that netstat -antu shows a high number of foreign IP connections established on the server, the penetration tester should investigate these connections further. This could potentially indicate that the server has been compromised by an attacker, or that there is unauthorized access to the server from outside sources. Therefore, the NEXT step that the penetration tester should take is to investigate the high numbered port connections further (Option C). This could involve examining the source IP addresses and ports of the connections, as well as any associated processes or services. The tester should also determine if any of the connections are associated with known malicious activity.
upvoted 1 times
...
KingIT_ENG
2 years, 1 month ago
D is the correct answer Contact the client immediately
upvoted 3 times
...
cy_analyst
2 years, 1 month ago
Selected Answer: C
The correct next step for the penetration tester would be to investigate the high numbered port connections. These connections could potentially indicate the presence of additional services or processes running on the server, and the tester should explore them further to determine if they represent any additional vulnerabilities or potential attack vectors. It is also important for the tester to document this finding for inclusion in the final report. The tester should not close the reverse shell at this point, as it may be needed for further testing or investigation, and there is no immediate need to contact the client unless there is an imminent security threat.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago