In this level we learn how to search an entire server when looking for a file, as well as how to use 2>/dev/null to purge error messages from the terminal.
Level Instructions
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
Level Solution
First we have to login via SSH using the previous level’s user bandit6 (using their password DXjZPULLxYr17uwoI01bNLQbtFemEgo7 which we found in the previous level).
1. Connecting
1
2
3
4
ssh bandit6@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit6@bandit.labs.overthewire.org's password:
Just copy and paste the password
DXjZPULLxYr17uwoI01bNLQbtFemEgo7when prompted, and hitENTER. You won’t see a cursor. That’s normal.
2. Searching
Let’s start by having a quick look what’s in our home directory using ls and ls -la:
1
2
3
4
5
6
7
8
bandit6@bandit:~$ ls
bandit6@bandit:~$ ls -la
total 20
drwxr-xr-x 2 root root 4096 May 7 20:14 .
drwxr-xr-x 41 root root 4096 May 7 20:14 ..
-rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
-rw-r--r-- 1 root root 3526 May 15 2017 .bashrc
-rw-r--r-- 1 root root 675 May 15 2017 .profile
As the first
lsreturned nothing, we usels -alto check if there’s anything interesting hidden, but there isn’t.
Nothing there! And since the file we are looking for could be anywhere on the server, we might as well start with a search from the root directory / with arguments matching the criterias we are after.
Just to be clear, the ~ in our terminal tells us that we are in our user’s home directory. We are not in the root of the server after logging in. We can confirm this using pwd that prints the working directory:
1
2
bandit6@bandit:~$ pwd
/home/bandit6
Anyway, let’s get back to finding that file! All we know is that it’s owned by the user bandit7 and the group bandit6, plus that it’s 1033 bytes in size. But knowing that we can use the find command with the 3 following flags to match that type of file; -user bandit7, -group bandit6, and -size 33c so let’s search for that with find / (i.e. starting from the root directory):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c
find: ‘/root’: Permission denied
find: ‘/home/bandit28-git’: Permission denied
find: ‘/home/bandit30-git’: Permission denied
find: ‘/home/bandit5/inhere’: Permission denied
find: ‘/home/bandit27-git’: Permission denied
find: ‘/home/bandit29-git’: Permission denied
find: ‘/home/bandit31-git’: Permission denied
find: ‘/lost+found’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/etc/lvm/archive’: Permission denied
find: ‘/etc/lvm/backup’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/proc/892/task/892/fd/6’: No such file or directory
find: ‘/proc/892/task/892/fdinfo/6’: No such file or directory
find: ‘/proc/892/fd/5’: No such file or directory
find: ‘/proc/892/fdinfo/5’: No such file or directory
find: ‘/cgroup2/csessions’: Permission denied
find: ‘/boot/lost+found’: Permission denied
find: ‘/tmp’: Permission denied
find: ‘/run/lvm’: Permission denied
find: ‘/run/screen/S-bandit4’: Permission denied
find: ‘/run/screen/S-bandit0’: Permission denied
find: ‘/run/screen/S-bandit3’: Permission denied
find: ‘/run/screen/S-bandit23’: Permission denied
find: ‘/run/screen/S-bandit28’: Permission denied
find: ‘/run/screen/S-bandit33’: Permission denied
find: ‘/run/screen/S-bandit17’: Permission denied
find: ‘/run/screen/S-bandit10’: Permission denied
find: ‘/run/screen/S-bandit9’: Permission denied
find: ‘/run/screen/S-bandit15’: Permission denied
find: ‘/run/screen/S-bandit20’: Permission denied
find: ‘/run/screen/S-bandit7’: Permission denied
find: ‘/run/screen/S-bandit2’: Permission denied
find: ‘/run/screen/S-bandit1’: Permission denied
find: ‘/run/screen/S-bandit29’: Permission denied
find: ‘/run/screen/S-bandit26’: Permission denied
find: ‘/run/screen/S-bandit18’: Permission denied
find: ‘/run/screen/S-bandit13’: Permission denied
find: ‘/run/screen/S-bandit16’: Permission denied
find: ‘/run/screen/S-bandit31’: Permission denied
find: ‘/run/screen/S-bandit8’: Permission denied
find: ‘/run/screen/S-bandit14’: Permission denied
find: ‘/run/screen/S-bandit19’: Permission denied
find: ‘/run/screen/S-bandit21’: Permission denied
find: ‘/run/screen/S-bandit12’: Permission denied
find: ‘/run/screen/S-bandit5’: Permission denied
find: ‘/run/screen/S-bandit22’: Permission denied
find: ‘/run/screen/S-bandit24’: Permission denied
find: ‘/run/screen/S-bandit25’: Permission denied
find: ‘/run/shm’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
find: ‘/var/spool/bandit24’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/tmp’: Permission denied
find: ‘/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/polkit-1’: Permission denied
/var/lib/dpkg/info/bandit7.password
find: ‘/var/log’: Permission denied
find: ‘/var/cache/apt/archives/partial’: Permission denied
find: ‘/var/cache/ldconfig’: Permission denied
If you didn’t know about the
-useror-grouparguments that we can use with thefindcommand, you can discover them as well as many others usingfind --helplike we discussed in the previous level.
Unfortunately we receive a lot of “Permission denied” error messages that cover our screen. So let’s add something to our command line to purge them, by passing them on to /dev/null, which basically is a black hole that makes anything disappear!
2>/dev/null
If you add 2>/dev/null at the end of a command, any errors will be redirected before you see them to the special location /dev/null which instantly deletes anything sent to it (including files) - in an unrecoverable fashion!
So let’s try that with our original find command:
1
2
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
Boom! Let’s have a look at what’s inside using cat and the full path to the file, all the way from the / root directory:
1
2
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
That’s the “flag” we want to “capture” and the password we need for the next level, i.e. to login with user bandit7.
3. Exiting
1
2
3
bandit6@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.
Level Flag
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs