CompTIA PenTest+ (PT0-003) — Question 154

A penetration tester is performing a cloud-based penetration test against a company. Stakeholders have indicated the priority is to see if the tester can get into privileged systems that are not directly accessible from the internet. Given the following scanner information:
Server-side request forgery vulnerability in test.comptia.org
Reflected cross-site scripting vulnerability in test2.comptia.org
Publicly accessible storage system named static_comptia_assets
SSH port 22 open to the intemet on test3.comptia.org
Open redirect vulnerability in test4.comptia.org
Which of the following of the attack paths should the tester prioritize first?

Answer options

• A. Synchronize all the information from the public bucket and scan it with Trufflehog.
• B. Run Pacu to enumerate permissions and roles within the cloud-based systems.
• C. Perform a full dictionary brute-force attack against the open SSH service using Hydra.
• D. Use the reflected cross-site scripting attack within a phishing campaign to attack administrators.
• E. Leverage the SSRF to gain access to credentials from the metadata service.

Correct answer: E

Explanation

The correct answer is E because leveraging the SSRF vulnerability allows access to sensitive data, such as credentials stored in the metadata service, which can lead to further escalation. Options A and B focus on data collection and permissions enumeration, which are less direct in achieving the goal of accessing privileged systems. Option C targets SSH access, which may not directly lead to privilege escalation through the vulnerabilities listed, and option D involves a phishing campaign that could be less effective than directly exploiting the SSRF.