Bash History Attack

Last modified: 2023-07-24

Post Exploitation Shell

If an attacker can login as victim user in system, he can exploit the bash history in the victim home directory.

Bash History Unveiling

.bash_history is commonly in user’s home directory. In order not to store the bash history, users can link /dev/null with this file as below.

# If victim uses bash...
ln -sf /dev/null ~/.bash_history

# If victim users zsh...
ln -sf /dev/null ~/.zsh_history


If attackers can login as victim user, they can unlink /dev/null then allow the bash history to be stored. If HISTFILE variable does not appear in .bashrc or .profile, attackers can add this line in the file to store the bash history.

# If victim uses bash...
unlink ~/.bash_history ; touch ~/.bash_history
echo "HISTFILE=~/.bash_history" >> ~/.bashrc

# If victim uses zsh...
unlink ~/.zsh_history ; touch ~/.zsh_history
echo "HISTFILE=~/.zsh_history" >> ~/.zshrc

After rebooting the machine, the bash history will be stored in .bash_history file and attackers can see the history when logged in again. It may extract sensitive information.

False Information Inserting

Attackers can easily insert arbitrary content into .bash_history as follow.

# Assume `malicious` is exactly malicious binary.
echo "~/malicious" >> ~/.bash_history

When victim see the content of the bash_history, malicious command may be executed by the victim’s misunderstanding.