Bandit Level 6 → Level 7 [6/34]

OverTheWire: Level Goal

 

The password for the next level is stored somewhere on the server and has all of the following properties:

• owned by user bandit7
• owned by group bandit6
• 33 bytes in size

 

언제나 그렇듯 디렉터리부터 탐사해보자

bandit6@bandit:~$ ls -al
total 20
drwxr-xr-x  2 root root 4096 Apr 10 14:22 .
drwxr-xr-x 70 root root 4096 Apr 10 14:24 ..
-rw-r--r--  1 root root  220 Mar 31  2024 .bash_logout
-rw-r--r--  1 root root 3771 Mar 31  2024 .bashrc
-rw-r--r--  1 root root  807 Mar 31  2024 .profile

지금까지와 다르게 초기 디렉터리에 파일이 존재하지 않는 것 같다.

 

user가 bandit7이고 group이 bandit6인 점을 활용해보자. man find에서 아래와 같은 항목들이 명시되어 있다.

-group gname
	File belongs to group gname (numeric group ID allowed).

-user uname
	File is owned by user uname (numeric user ID allowed).

 

 

이를 모두 조합해서 전체 경로에서 파일을 찾아보자

bandit6@bandit:~$ find / -user bandit7 -group bandit6
find: ‘/root’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/proc/1407352/task/1407352/fd/6’: No such file or directory
find: ‘/proc/1407352/task/1407352/fdinfo/6’: No such file or directory
find: ‘/proc/1407352/fd/5’: No such file or directory
find: ‘/proc/1407352/fdinfo/5’: No such file or directory
find: ‘/boot/lost+found’: Permission denied
find: ‘/boot/efi’: Permission denied
find: ‘/etc/polkit-1/rules.d’: Permission denied
find: ‘/etc/sudoers.d’: Permission denied
find: ‘/etc/xinetd.d’: Permission denied
find: ‘/etc/credstore’: Permission denied
find: ‘/etc/multipath’: Permission denied
...

 

 

Permission denied메세지 때문에 결과를 찾기 힘들다. 2>/dev/null을 이용해서 stderr를 제외하고 확인해보자.

bandit6@bandit:~$ find / -user bandit7 -group bandit6 2>/dev/null
/var/lib/dpkg/info/bandit7.password

 

 

파일이 하나 특정되었다! 한번 확인해보자.

bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password 
[PASSWORD]

 

얏호~