New Comment on Passing the CAS-004 Exam for CASP+

Back on April 13 I received another comment for my most frequently visited web page “New Insights for the CASP+ CAS-004 Exam.”   The comment is so good that I had to publish it as a separate post.

By William Maclendon Howard

Passed on my first attempt three days ago……. somehow. Even after accidentally skipping the notorious Linux simulation question.

My two PBQs were the vulnerable code snippet one from CAS-003 (https://www.examtopics.com/discussions/comptia/view/62960-exam-cas-003-topic-1-question-480-discussion/), and and the nmap scan interpretation question, also from CAS-003 (https://www.examtopics.com/discussions/comptia/view/52461-exam-cas-003-topic-1-question-370-discussion/). I was fully prepared for the code snippet one, but the scan interpretation one took me by surprise. The answers in the discussions on ExamTopics are pretty similar to what I chose, so just familiarize yourself with those and understand *why* those are the correct answers, and you should be fine.

But man, words cannot convey how close I was to walking out when I accidentally skipped that Linux sim. It came up at around question 30 out of 78. It gives you three pages of warnings, the general message of “you are about to enter the virtual environment, you cannot come back to this question” repeated several times, and you have to click “Next” to proceed through those pages. And then you get to the page with the actual simulated environment; there will be your shell in the background, and the pop-out box with instructions on how to complete the question on the right. Once you get here, ***DO. NOT. CLICK. NEXT.*** Like an idiot, I assumed that the instructions box would go away when you click “Next” again, and the actual question will begin. No. It will instead close the entire question; no warning, no confirmation, no “are you SURE you want to do that?,” nothing. It will just move you to the next multiple choice question and you will not be able to go back. Again, ***DO NOT CLICK NEXT*** when you get to the sim and you see that instructions box. Use the minimize button at the top to close it instead. I was unbelievably frustrated when it happened, almost to the point of walking out because I thought it was a guaranteed fail.

I ended up just skimming and taking my first gut-reaction guess at the remaining multiple choice questions, and I was flabbergasted to see that “Pass” on the printout after the test.

The study material I used was the Dion Training practice tests on Udemy, and the test questions and discussions on ExamTopics.com (https://www.examtopics.com/exams/comptia/cas-004/). I would say ExamTopics is probably your single most valuable resource as about 70% of the questions I encountered on the exam could be found there. It’s well worth the $50 in my opinion because it’s almost a guaranteed pass, assuming you study those questions well, and more importantly, checking the discussions section to understand *WHY* the correct answers are correct.

For the sim, you’ll probably want to install a Kali VM, set up your own fake “malicious” service to run on boot, and get some practice with netstat, lsof, ps, systemctl, and grep commands and how you use them to find/identify/stop/disable services. You should also probably be familiar with where services are located and how they are structured. I wish I could give more insight into exactly what the question looks like but……. y’know, I fumbled that one even though I was fully prepared for it. Just do what everyone else has said about that question and you should be fine haha.

Overall I am ecstatic that I passed, but I still have some pretty sour feelings about just how insanely easy it is to accidentally outright skip the simulation. Do y’all happen to know of any kind of feedback/complaints department at CompTIA that would actually take constructive criticism? Because, if nothing else, there needs to be at least some kind of warning when you attempt to click “Next” instead of instantly skipping the question, especially after it makes you click Next through several pages before that. I don’t want anyone else making the same mistake and end up failing, because I honestly feel I just got lucky.


Bob says:  So how is it that William missed the Sim but passed the exam.  First he had to have done exceptionally well on the multiple choice questions, and the Performance Based Questions.  In the early days of this exam, many people failed their first one or two attempts due to the difficulty of the Sim.  It may be that CompTIA has reduced the weight of the simulation relative to the entire test score.  So maybe it is possible to blow the Linux Sim and still pass the exam.  But I wouldn’t bet on it..


And here is another recent contribution that details the Linux Forensic Simulation question

Author: NotGoodAtThis

For locating the malicious process, once you find malicious.service (or whatever file), I would recommend viewing the contents of the file using “cat” (ex: cat /etc/systemd/system/malicious.service). I personally would grep for the “ExecStart=” line and see what it is starting. So, possibly the steps are:

Task 1: Identify and kill a rogue TCP process

1. netstat -tulpn

-t: Displays specifically TCP connections.

-u: Displays specifically UDP connections.

-l: Displays only listening connections.

-n: Displays numerical addresses instead of host names.

-p: Displays the name of the program that owns each connection.

  1. identify the unusual port being opened (weird port number? active connection with weird PID/Program name section?, typically in a LISTEN state?) 3. lsof -i :3991 [replace 3991 with the “Local Address” port number]

-i: Display information about all processes that have a network socket open on a specified port 4. kill -9 4360 [replace 4360 with the “PID” results of your lsof command]

Task 2: Find a malicious service and remove it.

  1. Typically, netstat -tulpn will provide the process name in the PID/Program name section.
  2. If you can not find the malicious service (somehow), use systemctl list-units –type service –all (or service –status-all) and scroll through the results.
  3. cat the file to check if the service file (likely in “/etc/systemd/system”) is starting another file in /usr/bin, /opt ,or elsewhere. EXAMPLE: cat /etc/systemd/system/malicious.service | grep -i execstart 4. If it is starting another malicious file, rm -f [/path/to/file] the file.
  4. Stop the service: systemctl stop malicious.service 6. Disable the service from starting on boot: systemctl disable malicious.service 7. Delete the .service file: rm -f /etc/systemd/system/malicious.service
  5. Reboot the machine and check to ensure the service does not reappear.

As always, thanks to the community for all the great tips and comments

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.