A penetration tester gains access to a system and establishes persistence, and then runs the following commands: cat /dev/null temp touch -r .bash_history temp mv temp .bash_history Which of the following actions is the tester MOST likely performing?
A) Redirecting Bash history to /dev/null Redirecting Bash history to /dev/null
B) Making a copy of the user's Bash history for further enumeration
C) Covering tracks by clearing the Bash history
D) Making decoy files on the system to confuse incident responders

Question

A penetration tester gains access to a system and establishes persistence, and then runs the following commands: cat /dev/null > temp touch -r .bash_history temp mv temp .bash_history Which of the following actions is the tester MOST likely performing?
A) Redirecting Bash history to /dev/null Redirecting Bash history to /dev/null
B) Making a copy of the user's Bash history for further enumeration
C) Covering tracks by clearing the Bash history
D) Making decoy files on the system to confuse incident responders

Quizplus · Accepted Answer

The tester is clearing the Bash history by redirecting /dev/null to a temporary file and then using the 'touch' command to set the timestamp of the temporary file to match the original .bash_history file before moving it back, effectively erasing the command history while maintaining the original timestamp.

A Penetration Tester Gains Access to a System and Establishes