Posts OverTheWire - Bandit Level 6
Post
Cancel

OverTheWire - Bandit Level 6

Posted Jan 8 2020-01-08T13:37:00+00:00 by jintz

In this level we learn how to compose more complex search criterias when looking for a file, as well as how to use --help when we need a refresher of which arguments a command accepts.

Level Instructions

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

  1. human-readable
  2. 1033 bytes in size
  3. not executable

Level Solution

First we have to login via SSH using the previous level’s user bandit5 (using their password koReBOKuIDDepwhWk7jZC0RTdopnAYKh which we found in the previous level).

1. Connecting

1
2
3
4

ssh bandit5@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit5@bandit.labs.overthewire.org's password:

Just copy and paste the password koReBOKuIDDepwhWk7jZC0RTdopnAYKh when prompted, and hit ENTER. You won’t see a cursor. That’s normal.

2. Searching

We know the file is in a directory called inhere so let’s start by finding that directory first, just like the previous level we can start by just listing all files where we are using ls before we try to search for it in case it’s located elsewhere:

1
2

bandit5@bandit:~$ ls
inhere

In this case there is no need to add the -la arguments, since the directory itself is not hidden.

Found it! Now let’s list what’s inside that folder using ls -la before we consider moving into it using cd:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

bandit5@bandit:~$ ls -la inhere
total 88
drwxr-x--- 22 root bandit5 4096 May  7 20:15 .
drwxr-xr-x  3 root root    4096 May  7 20:15 ..
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere00
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere01
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere02
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere03
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere04
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere05
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere06
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere07
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere08
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere09
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere10
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere11
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere12
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere13
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere14
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere15
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere16
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere17
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere18
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere19

Unfortunately we find 20 more directories inside inhere which would be tedious to keep searching one by one. But we don’t have to! We can use the find command again, like in the previous level, but with different arguments in order to meet the specific critieras for this particular level.

As we know it’s human-readable, it’s 1033 bytes in size, and it’s not executable, we can use the find command with the 3 following flags to match that type of file; -type f, -size 1033c, and ! -executable. But how would you know all that? Or remember it? You will thanks to --help:

Help

If you’re wondering which arguments a command accepts, you can add --help after it, e.g. find --help:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

bandit5@bandit:~$ find --help
Usage: find [-H] [-L] [-P] [-Olevel] [-D debugopts] [path...] [expression]

default path is the current directory; default expression is -print
expression may consist of: operators, options, tests, and actions:
operators (decreasing precedence; -and is implicit where no others are given):
      ( EXPR )   ! EXPR   -not EXPR   EXPR1 -a EXPR2   EXPR1 -and EXPR2
      EXPR1 -o EXPR2   EXPR1 -or EXPR2   EXPR1 , EXPR2
positional options (always true): -daystart -follow -regextype

normal options (always true, specified before other expressions):
      -depth --help -maxdepth LEVELS -mindepth LEVELS -mount -noleaf
      --version -xdev -ignore_readdir_race -noignore_readdir_race
tests (N can be +N or -N or N): -amin N -anewer FILE -atime N -cmin N
      -cnewer FILE -ctime N -empty -false -fstype TYPE -gid N -group NAME
      -ilname PATTERN -iname PATTERN -inum N -iwholename PATTERN -iregex PATTERN
      -links N -lname PATTERN -mmin N -mtime N -name PATTERN -newer FILE
      -nouser -nogroup -path PATTERN -perm [-/]MODE -regex PATTERN
      -readable -writable -executable
      -wholename PATTERN -size N[bcwkMG] -true -type [bcdpflsD] -uid N
      -used N -user NAME -xtype [bcdpfls]      -context CONTEXT

actions: -delete -print0 -printf FORMAT -fprintf FILE FORMAT -print 
      -fprint0 FILE -fprint FILE -ls -fls FILE -prune -quit
      -exec COMMAND ; -exec COMMAND {} + -ok COMMAND ;
      -execdir COMMAND ; -execdir COMMAND {} + -okdir COMMAND ;

Valid arguments for -D:
exec, help, opt, rates, search, stat, time, tree
Use '-D help' for a description of the options, or see find(1)

Please see also the documentation at http://www.gnu.org/software/findutils/.
You can report (and track progress on fixing) bugs in the "find"
program via the GNU findutils bug-reporting page at
https://savannah.gnu.org/bugs/?group=findutils or, if
you have no web access, by sending email to <bug-findutils@gnu.org>.

In the middle of all that text we can read “tests (N can be +N or -N or N)” which means we can both include and exclude certain criterias. In this case we need to add the arguments -type, -size, and -executable and set them properly so we just find files that are human-readable (-type f), are 1033 bytes in size (-size 1033c), and cannot be executed (! -executable).

Note the exclamation mark ! before -executable which basically means not, i.e. “not executable” in this case. As well as the c after 1033 which means that the unit of measure is bytes.

Now when we know all that, let’s get back and run our find command with all the necessary arguments:

1
2

bandit5@bandit:~$ find inhere/ -type f -size 1033c ! -executable
inhere/maybehere07/.file2

Boom! Let’s have a look at what’s inside:

1
2

bandit5@bandit:~$ cat inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

That’s the “flag” we want to “capture” and the password we need for the next level, i.e. to login with user bandit6.

3. Exiting

1
2
3

bandit5@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.

Level Flag

DXjZPULLxYr17uwoI01bNLQbtFemEgo7

OverTheWire, Bandit
overthewire bandit write-up walk-thru ctf
This post is licensed under CC BY-NC 4.0 by the author.

Recent Update

Contents

OverTheWire - Bandit Level 5

OverTheWire - Bandit Level 7

© 2020 jintz. All rights reserved.

For Educational Purposes Only.