Needle in a Haystack: grep, piping, and the void
Welcome back to my 4th iteration of this blog series. In this series we’re growing our cybersecurity knowledge starting from the very basics using the overthewire.org challenges as a guide. First, I’d like to thank everyone for their feedback based on the last post! I’ll do my best to implement it and as always, more feedback is always welcome. Now let’s start!
The challenge for bandit6 is much like bandit5: to find our flag using details about the file. This time, we have a few different details including the ownership information of the file. The challenge states that the password is “somewhere on the server” and sure enough there aren’t any files or directories in the home folder of bandit6. In that case, we’ll have to search the whole machine and we can do that by passing the / directory to the command. The / without any filenames attached to it specify the root directory. The root directory and root user are much like the creation stories of the universe: they are the first directory and first user. As such everything on the machine exists in the root directory (whether directly or within other subdirectories) and everything on the machine is completely accessible by the root user (until disabled). After looking at the man page for find we can see that we can specify the user and group, so let’s add those in:
Woah! That’s a lot of text. A lot of it is not helpful to us either. We can see that these unhelpful (in our current scenario) messages are just errors. But let’s look through the list and see if we find anything interesting:
There it is! Or at least it looks like it should be the flag we’re looking for. But let’s see if we can find it again without having to sort through this massive list. In many ways we were lucky in this situation: the list of errors wasn’t insanely long, our desired result was pretty close to the bottom and likely to be spotted easily, and our result had a very obvious name.
One way to suppress unwanted screen messages is by sending them to the “void”. Yes, it’s real and all computers have one. The void is a “file” on the machine located at “/dev/null” that the computer keeps at 0 bytes by constantly deleting any contents in it. One way we can send things to the void is using the stdout. By sending our output from find to the void, we can suppress the error messages. Unfortunately simply sending the output means we’ll get nothing back, good or bad. Fortunately, unix has a standard for outputs. In our case, the number “2” is designated for errors. The “2” must be immediately followed by the > so that the computer understands that we mean the “error” messages:
So we can tell find to send only the errors to the void and print everything else:
Cool! Now let’s see what’s inside:
Let’s head to the next one.
The challenge this time is to find the word “millionth” in a file. If we had access to a GUI we could’ve done this very quickly with the “command + F” or “control + F” function that exists in most modern operating systems these days. Alas, we’re limited to a CLI. Fortunately, being locked in a CLI is not particularly a limitation. In fact, there are functions that can be only be done exclusively in the CLI. The CLI is how a computer operates behind the scenes and is the raw power of a machine. In fact, we can use a text editor in the CLI. Something like Vim or V are very powerful text editors and are included in all unix machines. But let’s not get ahead of ourselves just yet. What’s in this “data.txt” anyway?
Another long list of text. The format makes it pretty easy to work with though since every line has a word and some password like text separated by what looks like a tab. We have the perfect solution for this: grep. The hint here is to find the word “millionth” and our password will be next to it. Let’s do that:
This was easy since we already knew how to use grep with a file. So let’s talk about using V or Vim. They’re both text editors, V being the original and Vim being the updated more modern version of V. By default, all unix systems will have V installed, and most modern systems will have Vim as well. Vim is installed with this machine so let’s use it with vim data.txt:
In this setup of Vim, we can see that the lines are number and the cursor is marked by the intersection of the gray lines. Vim will look different depending on how it’s setup on every machine though, so be on the lookout for that. Vim is a bit complex in that it doesn’t let you type or edit the file without first enter “input mode”. That’s because Vim is in “command mode” by default and keyboard strokes have functions assigned to them. You can find all the functions by looking up a cheatsheet for Vim. In this case, make sure you’re not in “insert mode” by pressing the ESC key on your keyboard. Then type / followed by the word we’re searching for millionth:
You’ll see that Vim automatically starts searching as you type your word and we find our password again. Vim also has the ability to copy and paste from the machine clipboard, can you find out the command for that? To or exit from Vim, type in :q! .
Another way to find this password would be to combine commands. We can combine commands using the | (pipe). We can use stdin to feed our file to grep without using the filename in the command itself but stdin and stdout are limited to passing to and from existing files. This is where the | is very useful.
The | is called a “pipe” and it functions by passing the output of one command to the command that comes after the |. You can link multiple commands with | and it functions to pass the result of the first command without having to first store it in something. So we can use cat with the | and grep to achieve a similar result.
We’ve used grep before for regex but we can also pass non-regex to it. If you pass words in quotes, grep will simply look for that word or pattern exactly.
We’ve very lightly touched on Vim and I’m sure we’ll be using it more in later levels both to create, edit, and even escalate our privileges. We’ve discussed the void and seen how we can use it to hide unnecessary information. We’ve also explored more options for find and how we can search by ownership. Have you tried find in the root folder and only specifying the size of 33 bytes? 33 bytes is the size of our files when they only contain a password. Could we find more passwords for other levels?