Wargames-Bandit-Level6

Level 6

Level Goal

The password for the next level is stored somewhere on the server and has all of the following properties:

• owned by user bandit7
• owned by group bandit6
• 33 bytes in size

Solution

還是要滿足一堆條件，繼續用find工具：

bandit6@bandit:~$ find --help
Usage: find [-H] [-L] [-P] [-Olevel] [-D debugopts] [path...] [expression]

default path is the current directory; default expression is -print
expression may consist of: operators, options, tests, and actions:
operators (decreasing precedence; -and is implicit where no others are given):
      ( EXPR )   ! EXPR   -not EXPR   EXPR1 -a EXPR2   EXPR1 -and EXPR2
      EXPR1 -o EXPR2   EXPR1 -or EXPR2   EXPR1 , EXPR2
positional options (always true): -daystart -follow -regextype

normal options (always true, specified before other expressions):
      -depth --help -maxdepth LEVELS -mindepth LEVELS -mount -noleaf
      --version -xdev -ignore_readdir_race -noignore_readdir_race
tests (N can be +N or -N or N): -amin N -anewer FILE -atime N -cmin N
      -cnewer FILE -ctime N -empty -false -fstype TYPE -gid N -group NAME
      -ilname PATTERN -iname PATTERN -inum N -iwholename PATTERN -iregex PATTERN
      -links N -lname PATTERN -mmin N -mtime N -name PATTERN -newer FILE
      -nouser -nogroup -path PATTERN -perm [-/]MODE -regex PATTERN
      -readable -writable -executable
      -wholename PATTERN -size N[bcwkMG] -true -type [bcdpflsD] -uid N
      -used N -user NAME -xtype [bcdpfls]      -context CONTEXT

actions: -delete -print0 -printf FORMAT -fprintf FILE FORMAT -print 
      -fprint0 FILE -fprint FILE -ls -fls FILE -prune -quit
      -exec COMMAND ; -exec COMMAND {} + -ok COMMAND ;
      -execdir COMMAND ; -execdir COMMAND {} + -okdir COMMAND ;

Valid arguments for -D:
exec, opt, rates, search, stat, time, tree, all, help
Use '-D help' for a description of the options, or see find(1)

Please see also the documentation at https://www.gnu.org/software/findutils/.
You can report (and track progress on fixing) bugs in the "find"
program via the GNU findutils bug-reporting page at
https://savannah.gnu.org/bugs/?group=findutils or, if
you have no web access, by sending email to <[email protected]>.

可以看到選項中有user group size可以用，直接搜：

注意這裏find後面加 / 表示從根目錄開始找，因爲題目沒說具體在哪，直接在當前目錄搜是搜不到的

bandit6@bandit:~$ find / -size 33c -group bandit6 -user bandit7
find: ‘/var/tmp/shujaa29’: Permission denied
find: ‘/var/tmp/systemd-private-9d5a994a101b4b4c9abddf9b9e8e2542-systemd-logind.service-Wzjvn1’: Permission denied
find: ‘/var/tmp/systemd-private-9d5a994a101b4b4c9abddf9b9e8e2542-systemd-resolved.service-v5X1ik’: Permission denied
find: ‘/var/tmp/systemd-private-9d5a994a101b4b4c9abddf9b9e8e2542-ModemManager.service-ki24KZ’: Permission denied
find: ‘/var/tmp/repo/README’: Permission denied
find: ‘/var/tmp/repo/.git’: Permission denied
find: ‘/var/tmp/systemd-private-9d5a994a101b4b4c9abddf9b9e8e2542-chrony.service-YGqlJV’: Permission denied
find: ‘/var/snap/lxd/common/lxd’: Permission denied
find: ‘/var/lib/amazon’: Permission denied
find: ‘/var/lib/chrony’: Permission denied
find: ‘/var/lib/private’: Permission denied
find: ‘/var/lib/udisks2’: Permission denied
find: ‘/var/lib/snapd/void’: Permission denied
find: ‘/var/lib/snapd/cookie’: Permission denied
find: ‘/var/lib/ubuntu-advantage/private’: Permission denied
find: ‘/var/lib/update-notifier/package-data-downloads/partial’: Permission denied
find: ‘/var/lib/apt/lists/partial’: Permission denied
/var/lib/dpkg/info/bandit7.password
find: ‘/var/lib/polkit-1’: Permission denied
find: ‘/var/cache/pollinate’: Permission denied
find: ‘/var/cache/private’: Permission denied
find: ‘/var/cache/ldconfig’: Permission denied
find: ‘/var/cache/apt/archives/partial’: Permission denied
find: ‘/var/cache/apparmor/c47eabf7.0’: Permission denied
find: ‘/var/cache/apparmor/e10c1cf9.0’: Permission denied
find: ‘/var/log/amazon’: Permission denied
find: ‘/var/log/chrony’: Permission denied
find: ‘/var/log/private’: Permission denied
find: ‘/var/log/unattended-upgrades’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/spool/bandit24’: Permission denied
find: ‘/tmp’: Permission denied
find: ‘/boot/efi’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/proc/1081484/task/1081484/fd/6’: No such file or directory
find: ‘/proc/1081484/task/1081484/fdinfo/6’: No such file or directory
find: ‘/proc/1081484/fd/5’: No such file or directory
find: ‘/proc/1081484/fdinfo/5’: No such file or directory
find: ‘/run/chrony’: Permission denied
find: ‘/run/udisks2’: Permission denied
find: ‘/run/user/11018’: Permission denied
find: ‘/run/user/11026’: Permission denied
find: ‘/run/user/11011’: Permission denied
find: ‘/run/user/11031’: Permission denied
find: ‘/run/user/11019’: Permission denied
find: ‘/run/user/11015’: Permission denied
find: ‘/run/user/11010’: Permission denied
find: ‘/run/user/11028’: Permission denied
find: ‘/run/user/11003’: Permission denied
find: ‘/run/user/11020’: Permission denied
find: ‘/run/user/11007’: Permission denied
find: ‘/run/user/11014’: Permission denied
find: ‘/run/user/11032’: Permission denied
find: ‘/run/user/8003’: Permission denied
find: ‘/run/user/11009’: Permission denied
find: ‘/run/user/11002’: Permission denied
find: ‘/run/user/11008’: Permission denied
find: ‘/run/user/11004’: Permission denied
find: ‘/run/user/11023’: Permission denied
find: ‘/run/user/11013’: Permission denied
find: ‘/run/user/11012’: Permission denied
find: ‘/run/user/11025’: Permission denied
find: ‘/run/user/11006/systemd/inaccessible/dir’: Permission denied
find: ‘/run/user/11005’: Permission denied
find: ‘/run/user/11017’: Permission denied
find: ‘/run/user/11000’: Permission denied
find: ‘/run/user/11016’: Permission denied
find: ‘/run/user/11001’: Permission denied
find: ‘/run/sudo’: Permission denied
find: ‘/run/screen/S-bandit24’: Permission denied
find: ‘/run/screen/S-bandit23’: Permission denied
find: ‘/run/screen/S-bandit20’: Permission denied
find: ‘/run/cryptsetup’: Permission denied
find: ‘/run/lvm’: Permission denied
find: ‘/run/credentials/systemd-sysusers.service’: Permission denied
find: ‘/run/systemd/propagate’: Permission denied
find: ‘/run/systemd/unit-root’: Permission denied
find: ‘/run/systemd/inaccessible/dir’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
find: ‘/snap/core20/1587/etc/ssl/private’: Permission denied
find: ‘/snap/core20/1587/root’: Permission denied
find: ‘/snap/core20/1587/var/cache/ldconfig’: Permission denied
find: ‘/snap/core20/1587/var/cache/private’: Permission denied
find: ‘/snap/core20/1587/var/lib/private’: Permission denied
find: ‘/snap/core20/1587/var/lib/snapd/void’: Permission denied
find: ‘/snap/core18/2538/etc/ssl/private’: Permission denied
find: ‘/snap/core18/2538/root’: Permission denied
find: ‘/snap/core18/2538/var/cache/ldconfig’: Permission denied
find: ‘/snap/core18/2538/var/lib/private’: Permission denied
find: ‘/dev/shm/eic-hostkey-vBCXkIBp’: Permission denied
find: ‘/sys/kernel/tracing’: Permission denied
find: ‘/sys/kernel/debug’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/sys/fs/bpf’: Permission denied
find: ‘/home/bandit30-git’: Permission denied
find: ‘/home/bandit31-git’: Permission denied
find: ‘/home/bandit5/inhere’: Permission denied
find: ‘/home/ubuntu’: Permission denied
find: ‘/home/bandit29-git’: Permission denied
find: ‘/home/bandit28-git’: Permission denied
find: ‘/home/bandit27-git’: Permission denied
find: ‘/etc/sudoers.d’: Permission denied
find: ‘/etc/multipath’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/root’: Permission denied
find: ‘/lost+found’: Permission denied

這裏報了一堆權限不夠，直接過濾掉：

bandit6@bandit:~$ find / -size 33c -group bandit6 -user bandit7 2> /dev/null 
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S

搞定~~