Bandit Level 6 -> Level 7

Level Goal

The password for the next level is stored somewhere on the server and has all of the following properties:

• owned by user bandit7
• owned by group bandit6
• 33 bytes in size

Commands you may need to solve this level

ls , cd , cat , file , du , find , grep

 

Write up

-user uname
	File is owned by user uname (numeric user ID allowed).
    
-group gname
	File belongs to group gname (numeric group ID allowed).

-size n[cwbkMG]
	File uses less than, more than or exactly n units of space, rounding up.  The following suffixes can be used:
    	`c'    for bytes

 

 

We can use the command `man find` to explore the available options for this task.

 

bandit6@bandit:~$ find / -user "bandit7"
find: ‘/sys/kernel/tracing’: Permission denied
find: ‘/sys/kernel/debug’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/sys/fs/bpf’: Permission denied
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service/cgroup.procs
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service/cgroup.threads
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service/app.slice
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service/app.slice/cgroup.events
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service/app.slice/memory.events
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service/app.slice/io.pressure
......

 

When searching through many files, we might encounter `Permission denied` messages, indicating that we don't have permission to read those files. But how can we ignore these messages? By adding `2>/dev/null` to the end of the find command, we tell the shell to redirect error messages to /dev/null, preventing them from appearing on the screen.

 

bandit6@bandit:~$ find / -user "bandit7" 2>/dev/null
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service/cgroup.procs
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service/cgroup.threads
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service/app.slice
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service/app.slice/cgroup.events
/sys/fs/cgroup/user.slice/user-11007.slice/user@11007.service/app.slice/memory.events

 

We've successfully suppressed the 'Permission denied' message.

 

 

bandit6@bandit:~$ find / -user "bandit7" -group "bandit6" 2>/dev/null
/var/lib/dpkg/info/bandit7.password

 

The next condition is that the file belongs to the bandit6 group. We can find one such file.

 

 

bandit6@bandit:~$ find / -user "bandit7" -group "bandit6" -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password

 

To meet all the criteria, we also need to check the file size.

 

 

bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj

 

Finally, we can find the password!

 

 

Next Level : Level 7 -> 8