New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CompTIA PT0-003 Exam - Topic 2 Question 32 Discussion

Actual exam question for CompTIA's PT0-003 exam
Question #: 32
Topic #: 2
[All PT0-003 Questions]

A penetration tester is performing a cloud-based penetration test against a company. Stakeholders have indicated the priority is to see if the tester can get into privileged systems that are not directly accessible from the internet. Given the following scanner information:

Server-side request forgery (SSRF) vulnerability in test.comptia.org

Reflected cross-site scripting (XSS) vulnerability in test2.comptia.org

Publicly accessible storage system named static_comptia_assets

SSH port 22 open to the internet on test3.comptia.org

Open redirect vulnerability in test4.comptia.org

Which of the following attack paths should the tester prioritize first?

Show Suggested Answer Hide Answer
Suggested Answer: E

Leverage SSRF for Metadata Access:

Server-side request forgery (SSRF) vulnerabilities allow attackers to force a server to send requests to internal resources. In cloud environments, SSRF can often be used to access the metadata service (e.g., AWS EC2 metadata) to retrieve credentials for cloud services.

Once credentials are obtained, they can be used to access privileged systems that are not directly accessible from the internet.

Why Not Other Options?

A (Public bucket): Analyzing the bucket for sensitive data is useful but does not directly lead to privileged system access.

B (Pacu): Pacu is used for AWS exploitation but requires credentials or misconfigured roles. SSRF can provide the credentials needed to run Pacu effectively.

C (SSH brute force): Brute-forcing SSH is noisy and inefficient. Privileged systems are likely better protected than SSH open to the internet.

D (Phishing via XSS): This is a longer-term attack and less direct compared to leveraging SSRF.

CompTIA Pentest+ Reference:

Domain 3.0 (Attacks and Exploits)

SSRF Exploitation and Cloud Metadata Access Techniques


by Yan at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium PT0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Ahmed
3 days ago
E) The SSRF vulnerability is the most critical, so that should be the top priority.
upvoted 0 times
...
Tracey
8 days ago
B) Running Pacu to enumerate permissions and roles within the cloud-based systems could provide valuable information to guide the next steps.
upvoted 0 times
...
Mollie
13 days ago
E) Leveraging the SSRF to gain access to credentials from the metadata service seems like the most direct path to privileged access.
upvoted 0 times
...
Santos
18 days ago
I recall that accessing the metadata service through SSRF is a common tactic. It might be the most direct way to get to privileged systems.
upvoted 0 times
...
Mozell
24 days ago
I feel like using the reflected XSS in a phishing campaign could be effective, but it might take longer to set up than just going for the SSRF.
upvoted 0 times
...
Allene
29 days ago
I'm not entirely sure, but I think the open SSH service might be a good target too. I practiced some brute-force attacks, but it feels risky without more info.
upvoted 0 times
...
Jani
1 month ago
I remember studying SSRF vulnerabilities and how they can be used to access sensitive data. It seems like leveraging the SSRF could be a strong move here.
upvoted 0 times
...
Olga
1 month ago
I think the SSRF is the way to go. If I can leverage that to access the metadata service, I might be able to grab some credentials and really get my foot in the door.
upvoted 0 times
...
Shawnee
1 month ago
Ooh, the public storage system could be a goldmine! I bet I can find some juicy info in there to use for my attack.
upvoted 0 times
...
Mitzie
2 months ago
The SSH port being open is interesting, but a full brute-force attack might take too long and could get me flagged. I'd want to try something more targeted.
upvoted 0 times
...
Beula
2 months ago
I'm a bit confused about the open redirect vulnerability. How can that help me get into the privileged systems? I'm not sure that's the best approach.
upvoted 0 times
...
Hubert
2 months ago
Hmm, this looks like a tricky one. I think I'd start by looking at the SSRF vulnerability - that could be a good way to get access to internal systems.
upvoted 0 times
...

Save Cancel