I have a little question about how to deal with leaving files on machines. Of course, I know that it is a good idea to clean up after yourself once you’re done and I always do that. Either manually or by stopping/reseting the machine.
But one thing has been on my mind lately: What about the files I leave lying around on the box WHILE I’m working on it? It would be nice to somehow be able to signal other users “Hey, these are just my files, they are not meant to be here by the box creators please ignore them”. Of course, that wouldn’t stop other people from looking, but it would stop others from unintentionally spoiling themselves or thinking that they might have found the correct path.
To this end, I usually try to work in a /tmp subdirectory with some random name, but of course, that’s not always possible and someone else or automatic enumeration scripts like linpeas etc. might still pick it up and think that’s the way to go. Usually it should be obvious that these files are probably not there on purpose, but sometimes it might not be. And beginners might not have the experience to judge that as well.
What’s your take on this? How do you deal with this? Any good ideas?
Would love to hear your opinions 
Yeah I was thinking it would be nice if we had a standard naming convention to show other users that these files belong to another htb user and are not part of the box. Something like just starting the file names with HTB. Problem is not everyone would know about it and if anything they might be more drawn to files named like that and think that’s a hint from the box creator.
Personally I just try to keep my files in an obscure location that most people aren’t going to look in. But that’s not always possible
Type your comment> @VbScrub said:
Yeah I was thinking it would be nice if we had a standard naming convention to show other users that these files belong to another htb user and are not part of the box. Something like just starting the file names with HTB. Problem is not everyone would know about it and if anything they might be more drawn to files named like that and think that’s a hint from the box creator.
Personally I just try to keep my files in an obscure location that most people aren’t going to look in. But that’s not always possible
That won’t really help. Tools like pspy64 and enumeration scripts will still find those writable files and running processes. I usually write in/tmp/.myrtle. I guess it is pretty obvious that is not some kind of application. Especially when they open the folder and find enum stuff.
One could also access the date created attribute. Most of the time this is also an indicator it is nog part of a box.
Of course, you can’t really stop people from finding the files. That much is clear. The question is more geared towards “how can we make it clear that this is by another user and not by the box creator”.
I was also thinking if something like at Over The Wire could be possible. I only did the Bandit challenge there, but there you can’t list the contents of /tmp as a standard user. Of course you could still do some brute force enumeration. But it wouldn’t be as obvious then. No idea how difficult it would be to implement this and if automized scripts wouldn’t pick the stuff in there up as well.
@myrtle no of course it won’t stop people or automated tools from finding the files. There’s nothing you can do to completely hide files from another person using the same logon credentials as you.
The point was that when people do find the files, if they see HTB at the start of the file name they know to ignore that as its not part of the box. Its far from perfect, but better than nothing.