🔎 OverTheWire Bandit Level 6: Finding Files by Size and Permissions

Level 6 introduces one of the most powerful Linux commands: find. When you're dealing with multiple directories and files, manually searching becomes impossible. The find command lets you search for files based on specific criteria—like size, permissions, ownership, and more.

Level 6 teaches you:

• Using the find command with advanced criteria
• Finding files by size (exact byte count)
• Finding files by permissions (executable vs. non-executable)
• Using negation (!) in find commands
• Searching across multiple directories efficiently

This is where things start getting more interesting. Instead of manually checking files, you'll learn to let Linux do the heavy lifting for you. This skill is essential for penetration testing and system administration.

---

🎯 The Objective

After logging into bandit5, your goal is to find the password for Level 6. The password is in a file somewhere in the /inhere directory (note: this is in the root directory, not your home directory). The file has specific characteristics: it's non-executable and exactly 1033 bytes in size.

What Level 6 teaches:

• Using find to search for files by criteria
• Understanding file permissions (executable vs. non-executable)
• Finding files by exact size
• Using negation operators in find commands
• Searching in absolute paths

The challenge: There are multiple directories and files in /inhere. You need to find the one file that matches both criteria: non-executable AND exactly 1033 bytes. Manual searching would take forever—that's why find exists.

---

🔍 Understanding the Problem

Let's start by connecting to Level 5 and seeing what we're dealing with:

sshpass -p `cat bandit5` ssh bandit5@bandit.labs.overthewire.org -p 2220

Once connected, let's check what's in /inhere:

ls -la /inhere

You should see multiple directories. If you explore manually, you'll find files scattered across different subdirectories—this would take forever to check manually.

The problem: How do you quickly find a file that's:

• Located somewhere in /inhere (which has multiple subdirectories)
• Non-executable (doesn't have execute permissions)
• Exactly 1033 bytes in size

The answer: Use find with size and permission criteria.

---

🧠 Understanding the find Command

Let's dive deeper into find, because it's one of the most powerful Linux tools:

What find Does

The find command searches for files and directories based on criteria you specify:

find [path] [criteria] [action]

Basic structure:

• path — Where to search (. for current directory, / for root, /inhere for specific path)
• criteria — What to search for (size, permissions, name, etc.)
• action — What to do with results (default is to print the path)

Common find Criteria

By size:

• -size 1033c — Exactly 1033 bytes (the c means bytes)
• -size +1M — Larger than 1 megabyte
• -size -100k — Smaller than 100 kilobytes

By permissions:

• -executable — Files that are executable
• ! -executable — Files that are NOT executable (the ! means "not")

By name:

• -name "filename" — Exact name match
• -name "*.txt" — Pattern matching

By type:

• -type f — Files only
• -type d — Directories only

Combining Criteria

You can combine multiple criteria:

find /inhere ! -executable -size 1033c

This finds files in /inhere that are:

• NOT executable (! -executable)
• Exactly 1033 bytes (-size 1033c)

---

📋 Step-by-Step Walkthrough

Step 1: Connect to Level 5

sshpass -p `cat bandit5` ssh bandit5@bandit.labs.overthewire.org -p 2220

Step 2: Understand the Search Location

The password is in /inhere, which is in the root directory (not your home directory). This is an absolute path starting from /.

Step 3: Use find with Size and Permission Criteria

Use find to search for files matching both criteria:

find /inhere ! -executable -size 1033c

Breaking this down:

• find /inhere — Search in the /inhere directory
• ! -executable — Files that are NOT executable (the ! negates the condition)
• -size 1033c — Files that are exactly 1033 bytes (the c means bytes)

What you'll see: The command will output the path to the file that matches both criteria. It might look something like /inhere/maybehere07/.file2.

Step 4: Read the File

Once you have the file path, read it:

cat /inhere/maybehere07/.file2

(Replace with the actual path from your find output)

The output will be the password for Level 6.

Step 5: Save the Password

Copy the password and save it:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit6

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit6 -NoNewline

Step 6: Connect to Level 6

sshpass -p `cat bandit6` ssh bandit6@bandit.labs.overthewire.org -p 2220

---

💡 Understanding File Permissions

Let's dive deeper into permissions, because understanding them is crucial:

What Are File Permissions?

In Linux, every file has permissions that control:

• Read — Can you read the file?
• Write — Can you modify the file?
• Execute — Can you run the file as a program?

Checking Permissions

Use ls -l to see file permissions:

ls -l filename

Example output:

-rwxr-xr-x  1 user group  1033 Jan 16 12:00 file1
-rw-r--r--  1 user group  1033 Jan 16 12:00 file2

Breaking down -rwxr-xr-x:

• First character: - = file (or d for directory)
• Next 3: rwx = owner can read, write, execute
• Next 3: r-x = group can read, execute (no write)
• Last 3: r-x = others can read, execute (no write)

For -rw-r--r--:

• Owner: read, write (no execute)
• Group: read only
• Others: read only

Executable vs. Non-Executable

Executable files:

• Have x (execute) permission set
• Can be run as programs: ./script.sh
• find -executable matches these

Non-executable files:

• Don't have x permission set
• Cannot be run as programs
• find ! -executable matches these

For Level 6: We're looking for non-executable files (! -executable).

---

💡 Understanding File Sizes

Let's also understand how find handles file sizes:

Size Units in find

The find command uses different units:

• c — Bytes (characters)
• b — 512-byte blocks (default if no unit specified)
• k — Kilobytes (1024 bytes)
• M — Megabytes (1024 kilobytes)
• G — Gigabytes (1024 megabytes)

For Level 6: We use 1033c which means exactly 1033 bytes.

Size Operators

• -size 1033c — Exactly 1033 bytes
• -size +1033c — Larger than 1033 bytes
• -size -1033c — Smaller than 1033 bytes

For Level 6: We need exactly 1033 bytes, so we use -size 1033c (no + or -).

---

🛠️ Alternative Methods

Here are different ways to find the file:

Method 1: find with Combined Criteria (Recommended)

find /inhere ! -executable -size 1033c

Pros: Fast, efficient, searches recursively Cons: None really

Method 2: Search by Size First, Then Check Permissions

find /inhere -size 1033c -exec ls -l {} \;

Pros: Shows file details Cons: More complex, requires understanding -exec

Method 3: Manual Search (Not Recommended)

cd /inhere
find . -type f
# Then manually check each file's size and permissions...

Pros: Simple, no new commands Cons: Extremely slow, error-prone, nearly impossible

For Level 6, use Method 1 — it's the most efficient and teaches you valuable skills.

---

🔒 Real-World Context

Why does this matter in penetration testing?

In real security assessments, you'll constantly use find to locate files:

1. Finding Configuration Files

Configuration files are often:

• Non-executable
• Specific sizes
• In specific locations

Example: Finding config files:

find /etc ! -executable -name "*.conf" -size -10k

2. Finding Large Files

Large files might contain:

• Database dumps
• Log files
• Data backups

Example: Finding large files:

find /home -size +100M

3. Finding Executable Files

Executable files might be:

• Malware
• Scripts with vulnerabilities
• SUID binaries

Example: Finding executables:

find /tmp -executable -type f

4. Finding Files by Ownership

Files owned by specific users might contain:

• User credentials
• Personal data
• Configuration files

Example: Finding files owned by a user:

find /home -user username -size -1M

5. Finding Files with Specific Permissions

Files with unusual permissions might be:

• Misconfigured
• Intentionally hidden
• Security risks

Example: Finding world-writable files:

find / -type f -perm -002

The skill you're learning: How to efficiently search for files based on multiple criteria. This is essential when:

• Enumerating file systems
• Finding specific file types
• Locating configuration files
• Identifying security issues
• Processing large directory structures

---

🚨 Common Mistakes

Mistake 1: Wrong Size Unit

Wrong:

find /inhere -size 1033
# This means 1033 * 512-byte blocks, not bytes!

Right:

find /inhere -size 1033c
# The 'c' means bytes

Why: Without a unit, find uses 512-byte blocks. You need c for bytes.

Mistake 2: Wrong Negation Syntax

Wrong:

find /inhere -executable -size 1033c
# This finds executable files, not non-executable!

Right:

find /inhere ! -executable -size 1033c
# The ! negates the condition

Why: The ! is required to negate the -executable condition. Without it, you're searching for executable files.

Mistake 3: Searching in Wrong Location

Wrong:

find inhere ! -executable -size 1033c
# Searches relative to current directory

Right:

find /inhere ! -executable -size 1033c
# Searches in root /inhere directory

Why: /inhere is an absolute path in the root directory. Without the leading /, it would search relative to your current location.

Mistake 4: Not Understanding the Output

Confusion: "I see a path but don't know what to do with it."

Clarification: The find command outputs file paths. You can:

• Read the file: cat /path/to/file
• Check its details: ls -l /path/to/file
• Use it in other commands

For Level 6: The output is the file path—just cat it to get the password.

Mistake 5: Forgetting Both Criteria

Wrong:

find /inhere -size 1033c
# Only checks size, might return multiple files

Right:

find /inhere ! -executable -size 1033c
# Checks both criteria

Why: You need both criteria to find the exact file. Size alone might match multiple files.

---

💻 Practice Exercise

Try these to reinforce what you learned:

1. Find files by size:

   find /tmp -size +1M
   # Finds files larger than 1MB in /tmp
   

2. Find non-executable files:

   find ~ ! -executable -type f | head -10
   # First 10 non-executable files in home directory
   

3. Combine criteria:

   find . -size -100c ! -executable
   # Small non-executable files in current directory
   

4. Find and read:

   find /tmp -size 100c -exec cat {} \;
   # Finds and displays files exactly 100 bytes
   

---

🎓 Understanding find Operators

This is a good time to understand find operators:

Logical Operators

AND (default): Multiple criteria are ANDed together

find . -size 100c -name "*.txt"
# Files that are 100 bytes AND named *.txt

OR: Use -o for OR

find . -name "*.txt" -o -name "*.log"
# Files named *.txt OR *.log

NOT: Use ! for NOT

find . ! -executable
# Files that are NOT executable

For Level 6: We use ! to negate -executable, finding non-executable files.

Combining Operators

You can combine operators with parentheses (escape them for the shell):

find . \( -name "*.txt" -o -name "*.log" \) ! -executable
# Files named *.txt OR *.log, AND NOT executable

---

🔗 What's Next?

Level 7 builds on what you learned in Level 6, but now you're searching by file ownership instead of size or permissions. You'll learn to find files owned by specific users or groups, which is crucial for security assessments.

Before moving on, make sure you:

• ✅ Successfully used find with size criteria
• ✅ Understand how ! -executable works
• ✅ Can combine multiple find criteria
• ✅ Know the difference between absolute and relative paths
• ✅ Understand file permissions (executable vs. non-executable)

---

📚 Key Takeaways

After completing Level 6, you should understand:

1. find command — Powerful tool for searching files by criteria
2. Size criteria — Using -size with units (c for bytes)
3. Permission criteria — Using -executable and ! -executable
4. Negation operator — Using ! to negate conditions
5. Combining criteria — Multiple criteria are ANDed together

---

🎯 Quick Reference

Problem	Solution	Example
Find by size	Use -size	find . -size 1033c
Find non-executable	Use ! -executable	find . ! -executable
Combine criteria	List multiple	find . ! -executable -size 1033c
Search absolute path	Use /path	find /inhere ...
Find executables	Use -executable	find . -executable

---

Questions about Level 6 or using the find command? Reach out directly:

• Email: m1k3@msquarellc.net
• Phone: (559) 670-3159
• Schedule: Book a free consultation

---

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice