Bandit Level 6 to 7: Searching the Entire Filesystem
Using 'find' to scan the whole server for a file by owner, group, and size, while silencing permission errors.
Introduction
In the previous level, we used find to search within a specific directory. Now, in Bandit Level 6 to 7, we’re taking the training wheels off. The password file could be anywhere on the entire server, and we must once again use its properties to locate it.
This level introduces the challenge of running a search with broad scope, which often generates a lot of noise. We will learn how to filter out that noise to find exactly what we’re looking for.
The Challenge: Level 6 Goal
The goal for this level is to find a file somewhere on the server that matches all of the following criteria:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
This requires us to search from the very top of the filesystem hierarchy.
Step-by-Step Walkthrough
Let’s construct the command to hunt down this file.
Step 1: Log into bandit6
Use the password from the last level to SSH into the bandit6 user.
ssh [email protected] -p 2220Step 2: Building the find Command
We’ll use find again, but with a different starting point and new tests.
Starting Path: To search the entire server, we must start from the root directory, which is represented by a single forward slash (
/).find /
Owner User: The file is owned by
bandit7. The test for this is-user.-user bandit7
Owner Group: The file belongs to the group
bandit6. The test is-group.-group bandit6
File Size: The file is
33bytes in size. We use-sizewith thecsuffix for bytes.-size 33c
Step 3: Running the Command and Dealing with Errors
Let’s combine these parts and run the command.
find / -user bandit7 -group bandit6 -size 33cWhen you run this, you will see the correct file path, but it will be buried in a long stream of “Permission denied” errors. This happens because our user, bandit6, does not have permission to read every directory on the server. These error messages are sent to a special channel called standard error (stderr).
find: ‘/var/spool/cron/atjobs’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
/var/lib/dpkg/info/bandit7.password
find: ‘/var/log/apache2’: Permission denied
...Step 4: The Solution - Redirecting Standard Error
To clean up our output, we can redirect all the error messages (stderr) to a special location called /dev/null, which is like a black hole that discards any data sent to it.
In Linux, stderr is represented by the file descriptor 2. We use 2>/dev/null to redirect it.
Let’s try our command again with this addition.
find / -user bandit7 -group bandit6 -size 33c 2>/dev/nullThis time, the output is perfectly clean, showing only the path to the file we were looking for.
/var/lib/dpkg/info/bandit7.passwordStep 5: Read the Password
With the exact path in hand, we can now use cat to retrieve the password for bandit7.
cat /var/lib/dpkg/info/bandit7.password# yours might be different
morbNTDkSW6jIlUc0ymOdMaLnOlFVAajKey Concepts Learned
- Global File Searches: We learned to use
/as the starting point forfindto search the entire filesystem. - User and Group Predicates: The
-userand-grouptests are powerful additions to ourfindtoolkit, allowing us to search based on file ownership. - Standard Streams (
stdout&stderr): We saw a practical example of the two main output streams: standard output (for successful results) and standard error (for error messages). - Error Redirection (
2>/dev/null): Redirectingstderris a critical skill for scripting and for making command-line output readable when errors are expected.
Conclusion
You’ve successfully performed a server-wide search and learned how to manage command output streams. This is a significant milestone that moves you from basic commands to more advanced system administration techniques.
Save the password you found and get ready for the next level!