GCIH Question #607: Real Exam Question with Answer & Explanation

Question

Exhibit

Options

• ASSH does not create a bash history file when a non-root user connects to a Linux system
• BBy copying the /etc/passwd and /etc/shadow files, Eve was able to sudo rm -rf her user directory
• CEve escalated her privileges to a super user and deleted the contents of the bash history file
• DEve terminated her bash session by echoing the PID into the kill command resulting in the history

Explanation

An empty .bash_history file after a session indicates deliberate anti-forensic activity, most likely privilege escalation followed by history file truncation or deletion.

Common mistakes.

• A. SSH creates a bash history file for all interactive users regardless of whether they are root; the HISTFILE variable and shell session type determine history logging, not SSH itself.
• B. Copying /etc/passwd and /etc/shadow is a credential harvesting technique used for offline cracking and does not grant the ability to remove a user home directory via sudo rm -rf.
• D. Killing a bash process via its PID using the kill command causes abnormal termination but does not prevent history from being written to disk; bash writes history on normal exit, and an abrupt kill would leave any already-written history intact.

Concept tested. Anti-forensic bash history clearing via privilege escalation

Reference. https://www.gnu.org/software/bash/manual/bash.html#Bash-History-Facilities

No community discussion yet for this question.