Skip to main content
🧠Educationalbeginner11 min read
β€’

OverTheWire Bandit Level 7: Finding Files by Ownership

OverTheWire Bandit Level 7 walkthrough. Learn how to use the find command to locate files by ownership (user and group), understand file permissions, and search efficiently in Linux.

OverTheWireBanditLinuxbeginnerCTFfind commandfile ownershippermissions
Share:𝕏inβ¬‘βœ‰
πŸ”—OverTheWire Bandit Series
Part 8 of 34
πŸ“šView all posts in OverTheWire Bandit series

πŸ‘€ OverTheWire Bandit Level 7: Finding Files by Ownership

Level 7 builds on what you learned in Level 6, but now you're searching by file ownership instead of size or permissions. In Linux, every file has an owner (user) and a group. Understanding ownership is crucial for security assessmentsβ€”you'll constantly need to find files owned by specific users or groups.

Level 7 teaches you:

  • Using find to search by file ownership
  • Understanding user and group ownership
  • Combining multiple find criteria
  • Redirecting error messages to /dev/null
  • Why file ownership matters in security

This level combines everything you've learned so farβ€”you'll use find with ownership criteria, and you'll need to understand how Linux manages file permissions. This is real-world stuff you'll use constantly in penetration testing.

🎯 The Objective

After logging into bandit6, your goal is to find the password for Level 7. The password is in a file somewhere in /var/lib/dpkg/info/ directory. The file has specific characteristics: it's owned by user bandit7 and group bandit6, and it's exactly 33 bytes in size.

What Level 7 teaches:

  • Using find to search by user ownership (-user)
  • Using find to search by group ownership (-group)
  • Combining ownership criteria with size criteria
  • Understanding file ownership in Linux
  • Handling permission errors with 2> /dev/null

The challenge: There are many files in /var/lib/dpkg/info/. You need to find the one file that matches all three criteria: owned by bandit7, group bandit6, and exactly 33 bytes. Manual searching would be impossibleβ€”that's why find exists.

πŸ” Understanding the Problem

Let's start by connecting to Level 6 and seeing what we're dealing with:

sshpass -p `cat bandit6` ssh bandit6@bandit.labs.overthewire.org -p 2220

Once connected, let's check what's in /var/lib/dpkg/info/:

ls -la /var/lib/dpkg/info/ | head -20

You should see many files. If you try to explore manually, you'll find hundreds of filesβ€”this would take forever to check manually.

The problem: How do you quickly find a file that's:

  • Owned by user bandit7
  • Owned by group bandit6
  • Exactly 33 bytes in size
  • Somewhere in /var/lib/dpkg/info/ (which has many files)

The answer: Use find with ownership and size criteria.

🧠 Understanding File Ownership

Let's dive deeper into file ownership, because this concept is fundamental to Linux security:

What Is File Ownership?

In Linux, every file has:

  • Owner (user) β€” The user who created the file or who it belongs to
  • Group β€” A group that the file belongs to
  • Permissions β€” What the owner, group, and others can do with the file

Check file ownership:

ls -l filename

Example output:

-rw-r-----  1 bandit7 bandit6   33 Jan 16 12:00 password.txt

Breaking down the ownership:

  • bandit7 β€” Owner (user)
  • bandit6 β€” Group
  • 33 β€” File size in bytes

Why Ownership Matters

File ownership controls:

  • Who can read the file β€” Owner, group members, or others
  • Who can modify the file β€” Usually only the owner
  • Who can execute the file β€” If it's an executable

In security assessments, finding files owned by specific users can reveal:

  • User-specific configuration files
  • Files containing user credentials
  • Files that might have incorrect permissions
  • Potential privilege escalation vectors

πŸ“‹ Step-by-Step Walkthrough

Step 1: Connect to Level 6

sshpass -p `cat bandit6` ssh bandit6@bandit.labs.overthewire.org -p 2220

Step 2: Use find with Ownership and Size Criteria

Use find to search for files matching all three criteria:

find /var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33c 2> /dev/null

Breaking this down:

  • find /var/lib/dpkg/info/ β€” Search in this directory
  • -user bandit7 β€” Files owned by user bandit7
  • -group bandit6 β€” Files owned by group bandit6
  • -size 33c β€” Files exactly 33 bytes (the c means bytes)
  • 2> /dev/null β€” Redirect error messages to /dev/null (we'll explain this below)

What you'll see: The command will output the path to the file that matches all criteria. It might look something like /var/lib/dpkg/info/bandit7.password.

Step 3: Read the File

Once you have the file path, read it:

cat /var/lib/dpkg/info/bandit7.password

(Replace with the actual path from your find output)

The output will be the password for Level 7.

Step 4: Save the Password

Copy the password and save it:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit7

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit7 -NoNewline

Step 5: Connect to Level 7

sshpass -p `cat bandit7` ssh bandit7@bandit.labs.overthewire.org -p 2220

πŸ’‘ Understanding 2> /dev/null

You might have noticed 2> /dev/null at the end of the find command. Let's understand what this does:

Standard Streams in Linux

Linux has three standard streams:

  • stdin (0) β€” Standard input (your keyboard)
  • stdout (1) β€” Standard output (your terminal)
  • stderr (2) β€” Standard error (error messages)

What 2> /dev/null Does

The 2> redirects stderr (error messages) to /dev/null:

  • 2 β€” File descriptor for stderr
  • > β€” Redirect operator
  • /dev/null β€” A special file that discards everything written to it

Why this matters: When find searches directories you don't have permission to access, it generates "Permission denied" errors. These errors go to stderr and clutter your output. By redirecting stderr to /dev/null, you hide these errors and only see the actual results.

Example:

# Without redirecting errors:
find /var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33c
# Output: Lots of "Permission denied" errors mixed with results

# With redirecting errors:
find /var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33c 2> /dev/null
# Output: Only the actual results, no errors

For Level 7: We use 2> /dev/null to clean up the output and make it easier to see the file we're looking for.

πŸ› οΈ Alternative Methods

Here are different ways to find the file:

find /var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33c 2> /dev/null

Pros: Fast, efficient, searches recursively, clean output Cons: None really

Method 2: Search Without Error Suppression

find /var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33c

Pros: Shows all errors (might be useful for debugging) Cons: Cluttered output, harder to find the result

Method 3: Search by Ownership First, Then Size

find /var/lib/dpkg/info/ -user bandit7 -group bandit6 2> /dev/null | xargs ls -l | grep "33 "

Pros: Shows file details Cons: More complex, requires understanding xargs and grep

ls -la /var/lib/dpkg/info/ | grep bandit7
# Then manually check each file...

Pros: Simple, no new commands Cons: Extremely slow, error-prone, nearly impossible

For Level 7, use Method 1 β€” it's the most efficient and teaches you valuable skills.

πŸ”’ Real-World Context

Why does this matter in penetration testing?

In real security assessments, you'll constantly search for files by ownership:

1. Finding User-Specific Files

Files owned by specific users might contain:

  • User credentials
  • Personal data
  • Configuration files
  • SSH keys

Example: Finding files owned by a user:

find /home -user username -type f

2. Finding Files Owned by Root

Files owned by root might be:

  • System configuration files
  • SUID binaries
  • Critical system files

Example: Finding root-owned files:

find /etc -user root -name "*.conf"

3. Finding Files with Incorrect Ownership

Files with unusual ownership might indicate:

  • Misconfiguration
  • Security issues
  • Potential privilege escalation

Example: Finding world-writable files owned by root:

find / -user root -perm -002 -type f 2> /dev/null

4. Finding Group-Owned Files

Files owned by specific groups might be:

  • Shared resources
  • Group configuration files
  • Files accessible to group members

Example: Finding files owned by a group:

find /var -group www-data -type f

5. Combining Ownership with Other Criteria

Real-world searches often combine multiple criteria:

Example: Finding large files owned by a user:

find /home -user username -size +100M

Example: Finding executable files owned by root:

find /usr/bin -user root -executable -type f

The skill you're learning: How to efficiently search for files based on ownership. This is essential when:

  • Enumerating user directories
  • Finding configuration files
  • Identifying security misconfigurations
  • Locating files with specific permissions
  • Analyzing file system security

🚨 Common Mistakes

Mistake 1: Wrong User or Group Name

Wrong:

find /var/lib/dpkg/info/ -user bandit6 -group bandit7 -size 33c 2> /dev/null
# Swapped user and group!

Right:

find /var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33c 2> /dev/null
# Correct user and group

Why: The user and group are specific. Make sure you have them in the right order.

Mistake 2: Forgetting 2> /dev/null

Wrong:

find /var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33c
# Output cluttered with permission errors

Right:

find /var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33c 2> /dev/null
# Clean output

Why: Without redirecting errors, your output will be full of "Permission denied" messages, making it hard to find the actual result.

Mistake 3: Wrong Size Unit

Wrong:

find /var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33
# This means 33 * 512-byte blocks, not bytes!

Right:

find /var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33c
# The 'c' means bytes

Why: Without a unit, find uses 512-byte blocks. You need c for bytes.

Mistake 4: Not Including All Criteria

Wrong:

find /var/lib/dpkg/info/ -user bandit7 -group bandit6 2> /dev/null
# Only checks ownership, might return multiple files

Right:

find /var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33c 2> /dev/null
# Checks all three criteria

Why: You need all three criteria to find the exact file. Ownership alone might match multiple files.

Mistake 5: Wrong Path

Wrong:

find var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33c 2> /dev/null
# Missing leading /, searches relative path

Right:

find /var/lib/dpkg/info/ -user bandit7 -group bandit6 -size 33c 2> /dev/null
# Absolute path starting from root

Why: /var/lib/dpkg/info/ is an absolute path. Without the leading /, it would search relative to your current location.

πŸ’» Practice Exercise

Try these to reinforce what you learned:

  1. Find files by user:

    find ~ -user $USER -type f | head -10
# Files you own in your home directory

  2. Find files by group:

    find /etc -group root -name "*.conf" 2> /dev/null
# Configuration files owned by root group

  3. Combine ownership with size:

    find /tmp -user $USER -size +1M 2> /dev/null
# Large files you own in /tmp

  4. Find files with specific ownership:

    find . -user root -group root -type f 2> /dev/null
# Files owned by root user and root group

πŸŽ“ Understanding File Ownership Commands

This is a good time to understand ownership-related commands:

ls -l to See Ownership

ls -l filename

Shows: -rw-r--r-- 1 owner group size date filename

chown to Change Ownership

chown user:group filename

Changes file ownership (requires appropriate permissions).

id to See Your User and Groups

id

Shows your user ID and group memberships.

groups to See Your Groups

groups

Lists groups you belong to.

For Level 7: We use find with -user and -group to search by ownership, not to change it.

πŸ”— What's Next?

Level 8 introduces text processingβ€”one of the most powerful skills in Linux. You'll learn to use grep to search for specific text within files, which is essential for finding passwords and other information in large files.

Before moving on, make sure you:

  • βœ… Successfully used find with ownership criteria
  • βœ… Understand how -user and -group work
  • βœ… Can combine ownership with size criteria
  • βœ… Know how to redirect errors with 2> /dev/null
  • βœ… Understand file ownership in Linux

πŸ“š Key Takeaways

After completing Level 7, you should understand:

  1. File ownership β€” Every file has an owner (user) and a group
  2. find -user β€” Search for files owned by a specific user
  3. find -group β€” Search for files owned by a specific group
  4. Combining criteria β€” Multiple criteria are ANDed together
  5. Error redirection β€” Using 2> /dev/null to hide permission errors

🎯 Quick Reference

ProblemSolutionExample
Find by userUse -userfind . -user username
Find by groupUse -groupfind . -group groupname
Hide errorsUse 2> /dev/nullfind . ... 2> /dev/null
Combine criteriaList multiplefind . -user u -group g -size 33c
Check ownershipUse ls -lls -l filename

Questions about Level 7 or using find with ownership? Reach out directly:

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice

Found this helpful? Share it:

Share:𝕏inβ¬‘βœ‰

Need Help With This?

Have questions about implementing these security practices? Let's discuss your specific needs.

Get in Touch

More in Educational

Explore more articles in this category.

Browse 🧠 Educational

Related Articles