The Tester's Actions: Establishing Persistence and Manipulating .bash_history
Question
A penetration tester gains access to a system and establishes persistence, and then runs the following commands: cat /dev/null > temp touch '"r .bash_history temp mv temp .bash_history Which of the following actions is the tester MOST likely performing?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.C.
https://null-byte.wonderhowto.com/how-to/clear-logs-bash-history-hacked-linux-systems-cover-your-tracks-remain-undetected-0244768/The commands in the question suggest that the penetration tester has gained access to a system and established persistence. The following commands are then executed:
bashcat /dev/null > temp touch ".bash_history temp" mv temp .bash_history The purpose of these commands is to manipulate the Bash history file, which is a log of previously executed commands on a Linux or Unix-based system.
The first command, cat /dev/null > temp, redirects the output of the null device (/dev/null) to a temporary file named temp. This essentially empties the temp file.
The second command, touch ".bash_history temp", creates two files: .bash_history and temp. The .bash_history file is a hidden file that stores the user's command history.
The third command, mv temp .bash_history, renames the temp file to .bash_history. This effectively overwrites the contents of the .bash_history file with an empty file.
Therefore, the most likely action the penetration tester is performing is clearing the Bash history to cover their tracks and remove evidence of their activity on the system. This is commonly done by attackers to avoid detection and make it more difficult for incident responders to identify and investigate the attack.
Therefore, the correct answer is (C) Covering tracks by clearing the Bash history.
