MayADevBe Blog

A Blog about Computer Science

OverTheWire Bandit Level 5 -> 6 - Walkthrough

Published - 2021-11-03 | 6min

Previous Level: Level 5

Login

SSH: ssh bandit5@bandit.labs.overthewire.org -p 2220

Password: koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Task

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

  • human-readable
  • 1033 bytes in size
  • not executable

A little bit of Theory

I have already given an introduction to the file command and how I used it to detect human-readable files in Level 5. The file command alone worked well for a small number of files. However, with more files, it is easy to lose the overview.

The command grep searches its input for lines containing a specific pattern defined by the user. It can also be used to do the opposite, meaning when using the -v flag, a line with a defined pattern will not be printed.

To use this command on the output of another command (for example, the file command), we use the pipe |. It takes the output of the first command and pipes it as input into the second command. The syntax could look something like this: <command1> | grep <pattern>.


To get the file size, we use the du command. Specifically, to get the size in bytes, we also use the -b flag. To look at all the files, including hidden ones, the -a flag is offered.

Addition: The ls -l command also shows the size of files in the fifth column.


For finding non-executable files, the find command can be used. It has the -executable flag, which searches for executable files and allows operators like ‘!’ for negation.

Some additional interesting flags for find:

  • It has a flag for looking at file size in bytes -size <bytes>.
  • It also has the option to only look at files -type f (no directories/non-executables).
  • It has a -readable flag, but this means you have the permission to read the files, not that they are human-readable.
  • Instead, we could use the -exec <command> flag with '{}' as a path, meaning the chosen command will be executed on all the files. This could be used to execute another command like file.

Solution

I try to write the solution from my point of view, including my thought process and ideas. This means that it might not be the best solution or as you will see in the Separation solution, some assumptions might be wrong. I still wanted to include this in my Write-Up though, just to show my process.

If you rather want to see a fast and concise solution, then check out the alternative One Command solution at the end.

Separation

We start again by going into the ‘inhere’ directory and getting an overview of what is inside it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

bandit5@bandit:~$ ls
inhere
bandit5@bandit:~$ cd inhere
bandit5@bandit:~/inhere$ ls -la
total 88
drwxr-x--- 22 root bandit5 4096 May  7  2020 .
drwxr-xr-x  3 root root    4096 May  7  2020 ..
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere00
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere01
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere02
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere03
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere04
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere05
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere06
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere07
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere08
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere09
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere10
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere11
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere12
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere13
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere14
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere15
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere16
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere17
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere18
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere19

bandit5@bandit:~/inhere$ ls -la maybehere00
total 72
drwxr-x---  2 root bandit5 4096 May  7  2020 .
drwxr-x--- 22 root bandit5 4096 May  7  2020 ..
-rwxr-x---  1 root bandit5 1039 May  7  2020 -file1
-rwxr-x---  1 root bandit5  551 May  7  2020 .file1
-rw-r-----  1 root bandit5 9388 May  7  2020 -file2
-rw-r-----  1 root bandit5 7836 May  7  2020 .file2
-rwxr-x---  1 root bandit5 7378 May  7  2020 -file3
-rwxr-x---  1 root bandit5 4802 May  7  2020 .file3
-rwxr-x---  1 root bandit5 6118 May  7  2020 spaces file1
-rw-r-----  1 root bandit5 6850 May  7  2020 spaces file2
-rwxr-x---  1 root bandit5 1915 May  7  2020 spaces file3

We can see multiple folders. Checking out the first folder, we can see there are multiple files in it. So checking each file individually would be a tedious task. What we can do is use the information from the task and search all files in all the directories - with help of the wildcard ‘*’, described in Level 5.

Human Readable

The command file */{.,}* would return the file type of every file in the folders in ‘inhere’. We use */* to print all files in all directories. However, this does not include hidden files. Therefore we use {.,} to include files starting with a . and , indicates files starting with anything else 1.

To make it a little more visible and concentrate only on the human-readable files, we can use the grep command. In this case, we would like to print only lines that contain ‘ACSII’ since this is the human-readable file type we are looking for, based on the previous level. To use this command, we use the pipe | to use grep on the output of the file command: file */{.,}* | grep ASCII. Now, this is still a lot of output. Specifically either ASCII text, with very long lines and only ASCII text.

Therefore, if I assume the password is not in one of the files with long lines, we can filter for ‘, with very long lines’ or any subsection of this pattern:

1
2
3
4
5
6
7
8

	bandit5@bandit:~/inhere$ file */{.,}* | grep "ASCII text" | grep -v ', with very long lines'
	maybehere10/.file2:       ASCII text
	maybehere15/.file2:       ASCII text
	maybehere01/-file2:       ASCII text
	maybehere08/spaces file1: ASCII text
	maybehere12/-file2:       ASCII text
	maybehere15/spaces file2: ASCII text
	maybehere18/-file2:       ASCII text

Now the result is not as large. We could manually check these files. However, we cannot distinguish which file contains the password and would need to test all - without even being sure that my assumption was correct. Instead, we can look if we can narrow down our options with the help of the other criteria.

1033 bytes

We get the file size, as mentioned in the Theory section, with help of the du command. Then we again use grep to filter for the correct size (‘1033’):

1
2
3
4

	bandit5@bandit:~/inhere$ du -b -a | grep 1033
	1033    ./maybehere07/.file2
	bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
	DXjZPULLxYr17uwoI01bNLQbtFemEgo7

This returns us only one file, which is not in our previous list, which means my previous assumption was wrong because:

1
2

	bandit5@bandit:~/inhere$ file ./maybehere07/.file2
	./maybehere07/.file2: ASCII text, with very long lines

Non Executable

For finding non-executable files, we could use the command: find . ! -executable. However, it returns a long list of non-executable files, including hidden files.

One Command

Splitting the tasks of checking the requirements can be tedious and we got lucky that there was only one file with the correct size.

The question, therefore, would be, is there a more efficient way - potentially one command - that includes all criteria?

The most likely candidate would be find.

  • We use -size 1033 to look for the file-size requirement.
  • We use -type f to only look at files.
  • We use -exec file '{}' \;, to execute the file command and get the file data type. After that, we simply need to filter the output for the file type ‘ASCII’ again. 2
1
2
3
4
5

bandit5@bandit:~/inhere$ find . -type f -size 1033c ! -executable -exec file '{}' \; | grep ASCII
./maybehere07/.file2: ASCII text, with very long lines

bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

https://overthewire.org/wargames/bandit/bandit6.html

Next Level: Level 7


Share on:
Comments:
Related Content:
OverTheWire Bandit Level 6 -> 7 - Walkthrough

A walkthrough of Level 6 -> 7 of the Bandit wargame from OverTheWire. - Find a file with specific user and group ownership.

OverTheWire Bandit Level 4 -> 5 - Walkthrough

A walkthrough of Level 4 -> 5 of the Bandit wargame from OverTheWire. - File types, specifically human-readable files.