CompTIA PT0-003 Exam - Topic 2 Question 32 Discussion

Actual exam question for CompTIA's PT0-003 exam

Question #: 32
Topic #: 2

A penetration tester is performing a cloud-based penetration test against a company. Stakeholders have indicated the priority is to see if the tester can get into privileged systems that are not directly accessible from the internet. Given the following scanner information:

Server-side request forgery (SSRF) vulnerability in test.comptia.org

Reflected cross-site scripting (XSS) vulnerability in test2.comptia.org

Publicly accessible storage system named static_comptia_assets

SSH port 22 open to the internet on test3.comptia.org

Open redirect vulnerability in test4.comptia.org

Which of the following attack paths should the tester prioritize first?

ASynchronize all the information from the public bucket and scan it with Trufflehog.

BRun Pacu to enumerate permissions and roles within the cloud-based systems.

CPerform a full dictionary brute-force attack against the open SSH service using Hydra.

DUse the reflected cross-site scripting attack within a phishing campaign to attack administrators.

ELeverage the SSRF to gain access to credentials from the metadata service.

Show Suggested Answer

Suggested Answer: E

Leverage SSRF for Metadata Access:

Server-side request forgery (SSRF) vulnerabilities allow attackers to force a server to send requests to internal resources. In cloud environments, SSRF can often be used to access the metadata service (e.g., AWS EC2 metadata) to retrieve credentials for cloud services.

Once credentials are obtained, they can be used to access privileged systems that are not directly accessible from the internet.

Why Not Other Options?

A (Public bucket): Analyzing the bucket for sensitive data is useful but does not directly lead to privileged system access.

B (Pacu): Pacu is used for AWS exploitation but requires credentials or misconfigured roles. SSRF can provide the credentials needed to run Pacu effectively.

C (SSH brute force): Brute-forcing SSH is noisy and inefficient. Privileged systems are likely better protected than SSH open to the internet.

D (Phishing via XSS): This is a longer-term attack and less direct compared to leveraging SSRF.

CompTIA Pentest+ Reference:

Domain 3.0 (Attacks and Exploits)

SSRF Exploitation and Cloud Metadata Access Techniques

by Yan at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium PT0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Antione

1 day ago

Not sure about that, XSS feels risky.

upvoted 0 times

...

Franchesca

7 days ago

I think the XSS phishing route could work too.

upvoted 0 times

...

Freeman

12 days ago

Gotta prioritize the SSRF for metadata access!

upvoted 0 times

...

Theodora

17 days ago

E) Metadata service credentials? Jackpot! That's the way to go.

upvoted 0 times

...

Desmond

22 days ago

Brute-forcing the SSH service? Really? That's so 2010. Get with the times, man!

upvoted 0 times

...

Fairy

27 days ago

D) Using the XSS vulnerability in a phishing campaign could be an effective way to target administrators.

upvoted 0 times

...

Ahmed

2 months ago

E) The SSRF vulnerability is the most critical, so that should be the top priority.

upvoted 0 times

...

Tracey

2 months ago

B) Running Pacu to enumerate permissions and roles within the cloud-based systems could provide valuable information to guide the next steps.

upvoted 0 times

...

Mollie

2 months ago

E) Leveraging the SSRF to gain access to credentials from the metadata service seems like the most direct path to privileged access.

upvoted 0 times

...

Santos

2 months ago

I recall that accessing the metadata service through SSRF is a common tactic. It might be the most direct way to get to privileged systems.

upvoted 0 times

...

Mozell

2 months ago

I feel like using the reflected XSS in a phishing campaign could be effective, but it might take longer to set up than just going for the SSRF.

upvoted 0 times

...

Allene

2 months ago

I'm not entirely sure, but I think the open SSH service might be a good target too. I practiced some brute-force attacks, but it feels risky without more info.

upvoted 0 times

...

Jani

3 months ago

I remember studying SSRF vulnerabilities and how they can be used to access sensitive data. It seems like leveraging the SSRF could be a strong move here.

upvoted 0 times

...

Olga

3 months ago

I think the SSRF is the way to go. If I can leverage that to access the metadata service, I might be able to grab some credentials and really get my foot in the door.

upvoted 0 times

...

Shawnee

3 months ago

Ooh, the public storage system could be a goldmine! I bet I can find some juicy info in there to use for my attack.

upvoted 0 times

...

Mitzie

3 months ago

The SSH port being open is interesting, but a full brute-force attack might take too long and could get me flagged. I'd want to try something more targeted.

upvoted 0 times

...

Beula

3 months ago

I'm a bit confused about the open redirect vulnerability. How can that help me get into the privileged systems? I'm not sure that's the best approach.

upvoted 0 times

...

Hubert

3 months ago

Hmm, this looks like a tricky one. I think I'd start by looking at the SSRF vulnerability - that could be a good way to get access to internal systems.

upvoted 0 times

...