search

mufeedvh / moonwalk

Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.
MIT License
1.35k stars 123 forks source link

Does not seem to delete .zsh_history #3

Closed ariary closed 2 years ago

ariary commented 2 years ago

With last version, it seems that my .zsh_history was not clean as expected

Step to reproduce

$ #in zsh
$ sudo moonwalk start
$ echo "in moonwalk"
$ sudo moonwalk finish

Then :


$ history # or cat ~/.zsh_history
[...]
 1054  sudo moonwalk start
 1055  echo "in moonwalk"
 1056  sudo moonwalk finish

is it not the expectedbehaviour right?
mufeedvh commented 2 years ago

It's isolated to what user is executing moonwalk so when you run moonwalk as root it clears the .zsh_history of the root user, run it without sudo and the history file of the currently logged in user will be cleared.

I think clearing all the user's history file (if tampered/accessed) might be a good feature? Please let me know what you think and I might add this for the next release!

Thank you! :raised_hands:

ariary commented 2 years ago

Oh ok ! I see

By reflex I launched moonwalk with sudo privileges by thinking that it will be able to perform more job.

Maybe it could be interesting to be able to detect/precise a specific user to whom the history file will be deleted afterward

mufeedvh commented 2 years ago

Yeah it does perform more with sudo. I think this is doable, I will implement this in the next release!

Thank you for your interest in the project!