Bandit5->6

Level Goal

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

• human-readable
• 1033 bytes in size
• not executable

Commands useful to solve the level

• file
• find
• cat

Helpful Reading Material

• What does the execute permission do?

Where to start?

The solution is very similar to the one of the previous level so check that one for a more in-depth explanation. For this level, I will give less explanations and only add complements to teach you about where to find the relevant information. Without further ado, let's dive right into the solution.

Walkthrough

The goal of this exercise is to add options to the find command, so that the file we're retrieving meets all the requirements. We'll try to find the options one after the other into the find(1) documentation.

Option 1 : File Size

The first option we're looking for is an option that allows us to check for the file size. Let's look in the find(1) man page to see if we can find the option we need.

Hint

Try to look in the section 2 of the gnu findutils documentation.

Solution

The option we're looking for is described there. It is the size option.
We are going to invoke it like this : -size 1033c.

Option 2 : Not Executable

The second option we're looking for is an option that allows us to check for the executable permission on the file we encounter. Let's look once again into the find(1) man page (or the gnu findutils documentation) to find what we need.

Hint

This time, we still need to look at the section 2 of the gnu findutils documentation. However, we need to look into two different subsections of this section 2 to complete our option.

Solution

The option we're looking for is described there. It is the executable option. However, we need our file to not be executable, so we can see in this section that to negate this condition we can use the -not operator.
We are going to invoke our option like this : -not -executable.

Building the command

After getting our two options, the rest of the command is exactly the same as with the previous exercise.
Here is our command :

find inhere -type f -size 1033c -not -executable -execdir file '{}' \; -print

We need to print the file after because due to using the execdir option instead of the exec option (see the security considerations)

Security concerns : One-liner from previous exercise

In the previous level I gave you a one-liner to solve the level

find inhere/ -type f -execdir bash -c 'file {} | grep text > /dev/null' \; -execdir cat '{}' \; -quit

Although this command gives the right answer, it presents a security concern. Indeed, if an attacker puts a special filename in your directory, it could lead to the deletion of all of your data. Let's see a safe example right now. Try running the following script and understanding its output (you can copy and paste the script into you terminal window):

In this example we see that our /tmp/testrm directory has been deleted even though we didn't intended at all to do so. This is because the command 'rm -rf' has been executed when we tried to execute file on our dangerously named file without sanitizing the input. Even if it is harmless for this example, if the attacker replaces $TEST with $HOME it could be way more harmful.
To prevent this from hapenning, instead of the command find -execdir bash -c 'file {}' \; we can run the following :

find -execdir bash -c 'file "$@"' bash '{}' \;

to understand precisely what this command do you can go check the -c option in the bash invocation section of the gnu bash manual.

You can now jump to the next level