While several items listed are important parts of an overall engagement package, the authorization letter (often called written authorization, engagement letter, or authorization to test) is mandatory before testing begins — it explicitly grants permission to test specified systems under defined scope and constraints and provides legal protection for both parties. An RoE typically references or attaches the NDA (A), includes escalation/contact processes (B), and provides target lists (C), but without the formal authorization letter the engagement should not proceed.

CompTIA PT0-003 Mapping:

Domain 1.0 Planning and Scoping — obtain written authorization and define rules of engagement prior to testing.

Since the ICS is air-gapped (not connected to external networks), the best approach is manual assessment, which involves on-site testing, physical access, and reviewing configurations to identify vulnerabilities.

Option A (Channel scanning) ❌: This is used for wireless networks, not for isolated ICS systems.

Option B (Stealth scans) ❌: A stealth scan is a method to avoid detection while scanning, but it still requires network connectivity.

Option C (Source code analysis) ❌: If the ICS is a proprietary system, source code might not be available. Also, vulnerabilities could exist outside the code, such as misconfigurations.

Option D (Manual assessment) ✅: Correct. The ICS is offline, so a manual review of system settings, firmware, and configurations is the best approach.

???? Reference: CompTIA PenTest+ PT0-003 Official Guide – ICS & SCADA Testing

Web shells provide remote access and persistence for attackers. The best mitigation is to remove persistence mechanisms.

Remove the persistence mechanisms (Option A):

Attackers often modify startup scripts, cron jobs, or registry keys to maintain access.

If persistence is not removed, even after the web shell is deleted, attackers can reinstall or reaccess it.

The correct answer is C. python3 -m http.server 80

Using Python’s built-in HTTP server is one of the fastest and simplest ways to transfer files from a Linux host to another system on the same network. By running:

python3 -m http.server 80

from the directory containing the exploit, the tester can host the file over HTTP. The Windows 10 system can then retrieve it using a browser, PowerShell, certutil, or another HTTP-capable download method.

A, B, and D are incorrect because Netcat/Ncat listeners can be used for file transfer in some cases, but they require more coordination and commands on both systems. They are better suited for raw TCP connections, shells, or manual transfers, not the quickest general-purpose file-serving method.

In PenTest+ terms, this falls under Tools and Code Analysis, specifically using common command-line tools for file transfer during post-exploitation or controlled assessment activities.

A kiosk escape involves breaking out of a restricted environment, such as a kiosk or a single application interface, to access the underlying operating system. Here’s why option A is correct:

Kiosk Escape: This attack targets environments where user access is intentionally limited, such as a kiosk or a dedicated application. The goal is to break out of these restrictions and gain access to the full operating system.

Arbitrary Code Execution: This involves running unauthorized code on the system, but the scenario described is more about escaping a restricted environment.

Process Hollowing: This technique involves injecting code into a legitimate process, making it appear benign while executing malicious activities.

Library Injection: This involves injecting malicious code into a running process by loading a malicious library, which is not the focus in this scenario.

References from Pentest:

Forge HTB: Demonstrates techniques to escape restricted environments and gain broader access to the system​​.

Horizontall HTB: Shows methods to break out of limited access environments, aligning with the concept of kiosk escape​​.

Conclusion:

Option A, Kiosk escape, accurately describes the type of attack where a tester breaks out of a restricted environment to access the underlying operating system.

======

Banner grabbing is a technique used to obtain information about a network service, including its version number, by connecting to the service and reading the response.

Understanding Banner Grabbing:

Purpose: Identify the software version running on a service by reading the initial response banner.

Methods: Can be performed manually using tools like Telnet or automatically using tools like Nmap.

Manual Banner Grabbing:

Step-by-Step Explanationtelnet target_ip 80

Netcat: Another tool for banner grabbing.

nc target_ip 80

Automated Banner Grabbing:

Nmap: Use Nmap’s version detection feature to grab banners.

nmap -sV target_ip

Benefits:

Information Disclosure: Quickly identify the version and sometimes configuration details of the service.

Targeted Exploits: Helps in selecting appropriate exploits based on the identified version.

References from Pentesting Literature:

Banner grabbing is a fundamental technique in reconnaissance, discussed in various penetration testing guides.

HTB write-ups often include banner grabbing as a step in identifying the version of services.

The correct answer is D. To gather data to prepare for lateral movement

These commands are commonly used during post-exploitation enumeration to understand the compromised host, network connectivity, active users, login history, and possible privilege escalation paths. This information helps the tester determine where and how to move next inside the environment.

sudo -l checks what commands the current user can run with elevated privileges.

route displays the system routing table and can reveal reachable internal networks.

netstat -a shows active connections and listening services, which may identify connected hosts or services useful for pivoting.

last shows previous login activity and can reveal user accounts, source systems, and administrative access patterns.

who shows currently logged-in users.

A is incorrect because some commands may reveal information about other systems, but the full set of commands is broader and supports post-exploitation planning.

B is incorrect because the commands do not primarily enumerate all users and services. They collect privilege, network, session, and login information.

C is incorrect because persistence would involve creating or modifying access mechanisms, such as users, SSH keys, startup scripts, cron jobs, or services. These commands are reconnaissance and enumeration commands, not persistence actions.

In PenTest+ terms, this falls under Attacks and Exploits, specifically post-exploitation enumeration and lateral movement preparation.

To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.

schtasks.exe:

Purpose: Used to create, delete, and manage scheduled tasks on Windows systems.

Persistence: By creating a scheduled task, the tester can ensure a script or program runs at a specified time, providing a persistent backdoor.

Example:

schtasks /create /tn " Backdoor " /tr " C:\path\to\backdoor.exe " /sc daily /ru SYSTEM

sc.exe:

Purpose: Service Control Manager command-line tool used to manage Windows services.

Persistence: By creating or modifying a service to run a malicious executable, the tester can maintain persistent access.

Example:

sc create backdoor binPath= " C:\path\to\backdoor.exe " start= auto

Other Utilities:

rundll.exe: Used to run DLLs as applications, not typically used for persistence.

cmd.exe: General command prompt, not specifically used for creating persistence mechanisms.

chgusr.exe: Used to change install mode for Remote Desktop Session Host, not relevant for persistence.

netsh.exe: Used for network configuration, not typically used for persistence.

Pentest References:

Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation.

Windows Tools: Understanding how to leverage built-in Windows tools like schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.

By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.

======

The immediate and mandatory post-engagement action after completing an authorized penetration test is to remove any accounts, implants, backdoors, web shells, scheduled tasks, or other persistence mechanisms that were created or used during the test. Leaving persistence (a web shell in this case) is exactly what caused the breach and is an unacceptable post-test lapse.

Why B is correct:

Persistence mechanisms provide continued unauthorized access and are a direct security risk if not removed. Removing them returns the environment to its pre-test security posture and prevents later compromise by third parties.

Removal of persistence is a standard requirement in rules of engagement and in post-test cleanup checklists.

Why the other answers are incomplete or secondary:

A. Enable a host-based firewall on the machine — a reasonable defensive step if missing, but it does not replace removing the persistence that was the cause of the breach.

C. Revert configuration changes made during the engagement — also important and should be done, but the highest priority is removing active persistence that gives access. (Both B and C are valid cleanup activities; B is the single best answer given the question.)

D. Turn off command-and-control infrastructure — this is appropriate for the tester’s own infrastructure, but the critical action on the client side is removing client-side persistence. Also, turning off C2 after the test is expected, but will not remediate the remaining web shell on the client.

CompTIA PT0-003 Mapping:

Domain 5.0 Reporting and Communication — post-engagement cleanup and handoff (remediation actions, removal of test artifacts, maintaining chain of custody and evidence, and returning environment to agreed baseline).

The correct answer is B. Securely destroy or remove all engagement-related data from testing systems.

At the end of a penetration test, the tester must protect client confidentiality by securely handling all artifacts generated during the engagement. These artifacts may include screenshots, scan results, exploit output, credentials, hashes, reports, packet captures, copied files, logs, notes, and any other client-related evidence.

Securely destroying or removing engagement-related data from the tester’s systems is the best procedure for maintaining client data privacy because it reduces the risk of unauthorized disclosure after the engagement is complete.

A is incorrect because removing configuration changes and deployed tools is part of cleanup on client systems, but it does not fully address client data privacy on the tester’s own systems.

C is incorrect because searching configuration files for credentials is too narrow. Client-sensitive data can exist in many places, not only in configuration files.

D is incorrect because shutting down command-and-control or attacker infrastructure is part of post-engagement cleanup, but it does not directly ensure that client data collected during the test is securely removed.

In PenTest+ terms, this aligns with Reporting and Communication, especially post-engagement activities, evidence handling, data retention, secure disposal, and maintaining client confidentiality.