CompTIA PenTest+ (PT1-002) — Question 77

A penetration tester gains access to a system and establishes persistence, and then runs the following commands: cat /dev/null > temp touch `"r .bash_history temp mv temp .bash_history
Which of the following actions is the tester MOST likely performing?

Answer options

• A. Redirecting Bash history to /dev/null
• B. Making a copy of the user's Bash history for further enumeration
• C. Covering tracks by clearing the Bash history
• D. Making decoy files on the system to confuse incident responders

Correct answer: C

Explanation

The correct answer is C, as the commands issued by the tester are designed to clear the Bash history by redirecting it to /dev/null. Options A and B do not accurately describe the intent behind the commands, and D is incorrect since there is no indication that decoy files are being created.