Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 30, 2022 · 12:12 PM UTC

Hal Pomeranz · Sep 30, 2022 · 12:12 PM UTC

Hal Pomeranz @hal_pomeranz

30 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Daily Linux Forensics Trivia #25 —A user’s .bash_history file shows repeated use of “sudo vim” with no other arguments. What other artifact could you inspect to get a better picture of their activities?

Sep 30, 2022 · 12:12 PM UTC

Hal Pomeranz · Oct 1, 2022 · 12:30 PM UTC

Hal Pomeranz @hal_pomeranz

1 Oct 2022

Trivia Answer #25 - Look at the user’s $HOME/.viminfo file. The file contains information on recently edited files, search terms, commands typed at the “:” prompt, and (probably most useful in this case) commands executed via shell escape.

Alan Jones 🌻 · Sep 30, 2022 · 12:25 PM UTC

Alan Jones 🌻 @0xAlan

30 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Vimcache files owned by root?

John G. Asmussen · Sep 30, 2022 · 6:45 PM UTC

John G. Asmussen @jgasmussen

30 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

I would say it’s a false positive - everyone knows most people don’t know how to escape VIM so it’s probably just another instance of VIM jail. 🤣 ok seriously, I will just sit patiently and wait for the real answer.