CompTIA PenTest+ (PT0-002) — Question 40

A security company has been contracted to perform a scoped insider-threat assessment to try to gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position.
Which of the following actions, if performed, would be ethical within the scope of the assessment?

Answer options

• A. Exploiting a configuration weakness in the SQL database
• B. Intercepting outbound TLS traffic
• C. Gaining access to hosts by injecting malware into the enterprise-wide update server
• D. Leveraging a vulnerability on the internal CA to issue fraudulent client certificates
• E. Establishing and maintaining persistence on the domain controller

Correct answer: A

Explanation

The correct answer is A because exploiting a configuration weakness in the SQL database falls within the scope of a penetration test aimed at identifying vulnerabilities. The other options involve unethical actions that could lead to unauthorized access or data breaches, which are not acceptable in a legitimate assessment.