π OverTheWire Bandit Level 4: Finding Hidden Files
Level 4 introduces a concept that trips up many beginners: hidden files. In Linux, files that start with a dot (.) are hidden by defaultβthey don't show up in normal directory listings. This might seem like a small detail, but it's crucial for penetration testing and system administration.
Level 4 teaches you:
- How Linux handles hidden files
- Using
ls -ato see all files - Navigating into directories
- Why files are hidden and when it matters
If you've been following along, you've learned about files with dashes, files with spaces, and now it's time to learn about files that don't want to be seen. This is another common gotcha that you'll encounter in real-world security work.
π― The Objective
After logging into bandit3, your goal is to find the password for Level 4. The password is in a file, but this file is hiddenβit starts with a dot (.), which means it won't show up when you use the regular ls command.
What Level 4 teaches:
- Understanding hidden files in Linux
- Using
ls -ato list all files - Navigating into subdirectories
- Reading hidden files
The challenge: The password is in a hidden file inside a directory called inhere. You'll need to navigate there, list all files (including hidden ones), and read the hidden file.
π Understanding the Problem
Let's start by connecting to Level 3 and seeing what we're dealing with:
sshpass -p `cat bandit3` ssh bandit3@bandit.labs.overthewire.org -p 2220
Once connected, let's see what's in the directory:
ls -la
You should see a directory called inhere. That's where the password is hidden.
The problem: If you navigate into inhere and use the regular ls command, you won't see anything. The file is hidden because it starts with a dot (.). You need to use ls -a to see it.
π§ Why Files Are Hidden: Understanding the Dot Convention
Here's what's happening: In Linux, any file or directory that starts with a dot (.) is considered "hidden" and won't show up in normal directory listings.
How Hidden Files Work
When you run ls, it only shows "normal" files. Files starting with . are filtered out. This is a convention, not a security featureβit's meant to keep configuration files and system files out of the way.
Examples of hidden files:
.bashrcβ Bash configuration file.ssh/β SSH keys directory.git/β Git repository data.envβ Environment variables (often contains secrets!)
Why this matters: In penetration testing, hidden files often contain:
- Configuration files with credentials
- SSH keys
- Environment variables with API keys
- Backup files (
.bak,.old,.swp) - History files (
.bash_history,.mysql_history)
The Solution: Use ls -a
To see hidden files, you need to use the -a flag with ls:
ls -a
The -a stands for "all" and tells ls to show everything, including hidden files.
π Step-by-Step Walkthrough
Step 1: Connect to Level 3
sshpass -p `cat bandit3` ssh bandit3@bandit.labs.overthewire.org -p 2220
Step 2: List Files in Current Directory
ls -la
You should see a directory called inhere. That's your target directory.
Step 3: Navigate into the Directory
Use cd to change into the inhere directory:
cd inhere
Pro tip: You can use tab completion here. Type cd in<TAB> and the shell will auto-complete inhere for you.
What cd does:
- Changes directory β Moves you into a different folder
- Essential for navigation
- You can use
cd ..to go back up one level
Step 4: List All Files (Including Hidden Ones)
Now that you're in the inhere directory, list all files:
ls -la
Important: Use ls -la, not just ls. The -a flag shows hidden files, and the -l flag shows details (permissions, owner, size, etc.).
You should now see a hidden file. It will start with a dot, something like .hidden or .file or similar.
What you'll see:
total 12
drwxr-xr-x 2 bandit3 bandit3 4096 Jan 16 12:00 .
drwxr-xr-x 3 bandit3 bandit3 4096 Jan 16 11:00 ..
-rw-r----- 1 bandit3 bandit3 33 Jan 16 12:00 .hidden
Notice the .hidden fileβthat's your target. The dot at the beginning makes it hidden.
Step 5: Read the Hidden File
Now read the hidden file:
cat .hidden
Important: Include the dot when reading the file. The filename starts with ., so you need to include it.
Pro tip: Use tab completion. Type cat .<TAB> and the shell will auto-complete the hidden filename for you.
The output will be the password for Level 4.
Step 6: Save the Password
Copy the password and save it:
On Linux/macOS:
echo "PASSWORD_HERE" > bandit4
On Windows (PowerShell):
"PASSWORD_HERE" | Out-File -FilePath bandit4 -NoNewline
Step 7: Connect to Level 4
sshpass -p `cat bandit4` ssh bandit4@bandit.labs.overthewire.org -p 2220
π‘ Understanding Hidden Files
Let's dive deeper into hidden files, because this concept is crucial:
Why Are Files Hidden?
Hidden files are a convention, not a security feature. They're hidden to:
- Reduce clutter β Keep configuration files out of normal listings
- Prevent accidental deletion β Important system files are less likely to be deleted
- Organize files β Separate user files from system files
Important: Hidden files are NOT secure. Anyone who knows to use ls -a can see them. Don't rely on hiding files for security.
Common Hidden Files You'll Encounter
Configuration files:
.bashrcβ Bash shell configuration.vimrcβ Vim editor configuration.gitconfigβ Git configuration.ssh/β SSH keys and configuration
Application data:
.git/β Git repository data.npm/β Node.js package manager cache.cache/β Application cache files
Security-sensitive files:
.envβ Environment variables (often contains secrets!).ssh/id_rsaβ Private SSH key.aws/credentialsβ AWS credentials.bash_historyβ Command history (may contain passwords)
Finding Hidden Files
Method 1: ls -a (Recommended)
ls -a
Method 2: ls -la (Shows details too)
ls -la
Method 3: Using find
find . -name ".*"
This finds all files starting with a dot in the current directory.
Method 4: Using wildcards
ls -la .*
This lists all hidden files and directories.
For Level 4, use Method 1 or 2 β they're the simplest and most reliable.
π οΈ Alternative Methods
Here are different ways to find and read hidden files:
Method 1: ls -a (Recommended)
cd inhere
ls -a
cat .hidden
Pros: Simple, clear, shows all files Cons: None really
Method 2: ls -la (Shows Details)
cd inhere
ls -la
cat .hidden
Pros: Shows file permissions, owner, size, date Cons: More verbose output
Method 3: Using find
cd inhere
find . -name ".*" -type f
cat .hidden
Pros: Powerful, can search recursively Cons: More complex syntax
Method 4: Direct Path
cat inhere/.hidden
Pros: Works from anywhere, no need to cd
Cons: Need to know the exact filename
For Level 4, use Method 1 or 2 β they're the most straightforward.
π Real-World Context
Why does this matter in penetration testing?
In real security assessments, hidden files are goldmines:
1. Configuration Files
Configuration files often contain:
- Database credentials
- API keys
- Service account passwords
- Connection strings
Example: A .env file might contain:
DB_PASSWORD=super_secret_password
API_KEY=sk_live_1234567890abcdef
2. SSH Keys
The .ssh/ directory contains:
- Private keys (
id_rsa,id_ed25519) - Authorized keys (who can SSH in)
- Known hosts (trusted servers)
Finding private keys: If you find a private SSH key, you might be able to use it to access other systems.
3. History Files
Command history files contain everything the user typed:
.bash_historyβ Bash command history.mysql_historyβ MySQL command history.python_historyβ Python REPL history
Why this matters: Users often type passwords on the command line, which get saved to history files.
4. Backup Files
Applications create backup files:
.bakβ Backup files.oldβ Old versions.swpβ Vim swap files~β Backup files (some editors)
Why this matters: Backup files might contain:
- Old passwords
- Sensitive data
- Configuration changes
5. Web Application Files
Web applications often store sensitive files:
.htaccessβ Apache configuration (may contain credentials).git/β Git repository (may contain source code with secrets).envβ Environment variables (API keys, passwords)
The skill you're learning: How to find files that aren't immediately visible. This is essential when:
- Enumerating user directories
- Searching for credentials
- Finding configuration files
- Discovering backup files
- Analyzing compromised systems
π¨ Common Mistakes
Mistake 1: Using ls Instead of ls -a
Wrong:
cd inhere
ls
# Nothing shows up!
Right:
cd inhere
ls -a
# Now you see the hidden file
Why: Regular ls filters out hidden files. You need -a to see them.
Mistake 2: Forgetting the Dot When Reading
Wrong:
cat hidden
# Error: No such file or directory
Right:
cat .hidden
# Works!
Why: The filename starts with a dot, so you need to include it.
Mistake 3: Not Navigating into the Directory
Wrong:
ls -la
# Lists files in current directory, not inhere
Right:
cd inhere
ls -la
# Lists files in inhere directory
Why: You need to be in the right directory to see its contents.
Mistake 4: Assuming Hidden Files Are Secure
Wrong thinking: "If it's hidden, it must be secure."
Reality: Hidden files are just a convention. Anyone who knows ls -a can see them. Don't rely on hiding files for security.
Mistake 5: Not Using Tab Completion
Many beginners type filenames manually, which leads to typos. Use Tab completionβit's faster and more accurate, especially for hidden files.
π» Practice Exercise
Try these to reinforce what you learned:
-
Create a hidden file:
echo "secret" > .secret -
List files normally:
ls # .secret doesn't show up -
List all files:
ls -a # Now .secret appears -
Read the hidden file:
cat .secret -
Find all hidden files:
find . -name ".*" -type f -
Clean up:
rm .secret
π Understanding Directory Navigation
This is a good time to understand how directory navigation works:
Current Directory (.)
The . refers to the current directory:
ls .
# Lists files in current directory
Parent Directory (..)
The .. refers to the parent directory (one level up):
cd ..
# Goes up one directory level
ls ..
# Lists files in parent directory
Home Directory (~)
The ~ refers to your home directory:
cd ~
# Goes to home directory
ls ~
# Lists files in home directory
Absolute vs. Relative Paths
Absolute path: Starts from root (/)
- Example:
/home/bandit3/inhere/.hidden - Always works from anywhere
Relative path: Starts from current location
- Example:
inhere/.hidden(if you're in/home/bandit3) - Depends on where you are
For Level 4:
# From /home/bandit3:
cat inhere/.hidden # Relative path
cat /home/bandit3/inhere/.hidden # Absolute path
# From /home/bandit3/inhere:
cat .hidden # Relative path (current directory)
cat /home/bandit3/inhere/.hidden # Absolute path
π What's Next?
Level 5 introduces another file conceptβfiles with specific characteristics (like being human-readable). You'll learn to identify file types and use the file command to understand what you're working with.
Before moving on, make sure you:
- β
Successfully navigated into the
inheredirectory - β
Used
ls -ato see hidden files - β Read the hidden file and got the password
- β
Understand why files starting with
.are hidden - β
Know how to use
cdto navigate directories
π Key Takeaways
After completing Level 4, you should understand:
- Hidden files convention β Files starting with
.are hidden by default ls -aflag β Shows all files including hidden ones- Directory navigation β Using
cdto move between directories - Tab completion β Helps with typing filenames accurately
- Not a security feature β Hidden files are just a convention, not secure
π― Quick Reference
| Problem | Solution | Example |
|---|---|---|
| File is hidden | Use ls -a | ls -a |
| Navigate to directory | Use cd | cd inhere |
| Read hidden file | Include the dot | cat .hidden |
| Go back up | Use cd .. | cd .. |
| See file details | Use ls -la | ls -la |
Questions about Level 4 or finding hidden files? Reach out directly:
- Email: m1k3@msquarellc.net
- Phone: (559) 670-3159
- Schedule: Book a free consultation
M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice