During an assessment on a client that uses virtual desktop infrastructure in the cloud, a penetration tester gains access to a host and runs commands. The penetration tester receives the following output:
-rw-r--r-- 1 comptiauser comptiauser 807 Apr 6 05:32 .profile
drwxr-xr-x 2 comptiauser comptiauser 4096 Apr 6 05:32 .ssh
-rw-r--r-- 1 comptiauser comptiauser 3526 Apr 6 05:32 .bashrc
drwxr-xr-x 4 comptiauser comptiauser 4096 May 12 11:05 .aws
-rw-r--r-- 1 comptiauser comptiauser 1325 Aug 21 19:54 .zsh_history
drwxr-xr-x 12 comptiauser comptiauser 4096 Aug 27 14:10 Documents
drwxr-xr-x 16 comptiauser comptiauser 4096 Aug 27 14:10 Desktop
drwxr-xr-x 2 comptiauser comptiauser 4096 Aug 27 14:10 Downloads
Which of the following should the penetration tester investigate first?
Correct Answer: C
In a cloud-hosted VDI scenario, the highest-value next step is typically to identify cloud credentials and configuration artifacts that enable access beyond the single desktop instance. The .aws directory is a well- known location where AWS command-line tooling stores sensitive material such as credential profiles and configuration details (for example, access keys, session tokens, default regions, and named profiles).
PenTest+ emphasizes post-exploitation enumeration that targets credential sources capable of expanding access and impact, especially in cloud environments where a single set of keys may permit interacting with storage, compute, identity, and management APIs.
While .ssh can contain private keys useful for pivoting to other servers, in many cloud deployments SSH keys are scoped to specific hosts, whereas cloud access keys can unlock broader control-plane capabilities depending on attached permissions. .zsh_history is valuable for discovering commands and potentially leaked secrets, but it is less direct than immediately checking for structured cloud credentials. User folders like Documents are lower priority compared to credential repositories that can rapidly escalate the assessment's scope of access.