January, 2012 | Practical System Administration

I found this one a little while back and figured I might as well share it out since not that many people I talk to seem to know about it. For the longest time if I wanted to search through all my old commands I would do something like this:

history | less

and just kind of wade my way through previously executed commands not very efficient. Once I started getting lazier and the list of items in my history cache grew I started to use this one:

history | grep -i "bleh"

This is a little better, but still a lot more searching and typing than I want. Finally, thanks to the helpful folks over at reddit, I stumbled across this hidden gem:

Ctrl + r "bleh"

So, just press Ctrl then R keys and then a piece of the command you are looking for, bleh in this example, then just hit tab to pull the command up you were looking for once you have enough of the string matched. This is a shortcut that executes the “reverse-i-search” command, and it is freakin awesome. So if there was a command you ran a really long time ago and can’t remember the syntax 100% but know the general idea you can use this to capture the pieces you do remember, saving yourself all that extra time of having to go back through trying to figure out what the hell you were doing.

I recently watched a talk given by Raphael Mudge, the creator of Armita, entitled “Dirty Red Team Tricks”. In this talk he basically goes over the basics of how to play the hacker version of capture the flag from the point of view of the offensive team or attackers, the red team (pretty self explanatory right?). It was a really good watch, and he demonstrated some really neat little tricks to the audience, including how to use Armitage effectively. Here is the link If you would like to view the presentation.

There was one very curious trick he mentioned in his talk that I want to focus this post on and to save as a note to myself for future reference. That is the chattr command.

The main use case for this command is to essentially make a file immutable by setting the “+i” flag. This is similar to using the attrib command in dos on Windows. So for instance, you could do something like change the attributes of a password file or any other important file that you didn’t want getting altered by issuing the following command:

chattr +i some_file_name

Note, you must be root or in the sudo group to use this. Until the flag to turn this off is issued, even the root user cannot change the file, how cool is that?! I see why Mudge likes to use this dirty little trick when competing in capture the flag games now. So to check what attributes a particular file has applied to it you can use the lsattr command as follows, notice that the i flag is now set for the file:

lsattr some_file_name ----i------------e- some_file_name

And finally, to switch this flag off use the following command:

chattr -i some_file_name

We can check again to see if the flag actually got turned off:

lsattr some_file_name -----------------e- some_file_name

That’s it. I couldn’t believe how simple this nasty little trick was to use but how effective it may be in a given situation. I hope this post was helpful for you, and seriously, you should check out Armitage if you are messing around with penetration testing tools, Raphael Mudge is a really smart dude.

Month: January 2012

Protip: January

A Brief Overview of the Linux chattr Command