Comprehensive and Detailed Explanation:
The immediate and mandatory post-engagement action after completing an authorized penetration test is to remove any accounts, implants, backdoors, web shells, scheduled tasks, or other persistence mechanisms that were created or used during the test. Leaving persistence (a web shell in this case) is exactly what caused the breach and is an unacceptable post-test lapse.
Why B is correct:
Persistence mechanisms provide continued unauthorized access and are a direct security risk if not removed. Removing them returns the environment to its pre-test security posture and prevents later compromise by third parties.
Removal of persistence is a standard requirement in rules of engagement and in post-test cleanup checklists.
Why the other answers are incomplete or secondary:
A. Enable a host-based firewall on the machine — a reasonable defensive step if missing, but it does not replace removing the persistence that was the cause of the breach.
C. Revert configuration changes made during the engagement — also important and should be done, but the highest priority is removing active persistence that gives access. (Both B and C are valid cleanup activities; B is the single best answer given the question.)
D. Turn off command-and-control infrastructure — this is appropriate for the tester’s own infrastructure, but the critical action on the client side is removing client-side persistence. Also, turning off C2 after the test is expected, but will not remediate the remaining web shell on the client.
CompTIA PT0-003 Mapping:
Domain 5.0 Reporting and Communication — post-engagement cleanup and handoff (remediation actions, removal of test artifacts, maintaining chain of custody and evidence, and returning environment to agreed baseline).
