[overthewire] Bandit Level 6 → Level 7

moon_security·2025년 2월 26일
bandit

[OverTheWire] Bandit

목록 보기
8/32

문제 목표!

The password for the next level is stored somewhere on the server and has all of the following properties

  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size

이번에는 서버 어딘가에 저장된 파일이네요. 범위가 좀 더 커졌습니다.
파일의 특징은 user bandit7 소유, group bandit6 소유, 33 바이트 크기의 파일입니다.

문제 풀이!

파일을 찾는 것이니 'Bandit Level 5'에서 처럼 find 명령어를 사용하면 될 것 같습니다.

find 명령어의 옵션중 아래와 같은 것을 사용할 수 있겠군요!

  • -user: 지정한 사용자 소유의 파일이나 디렉토리 찾음
  • -group: 지정한 그룹 소유의 파일이나 디렉토리 찾음
  • 서버 전체에서 검색을 하려면 보통 /(루트 경로)에서 부터 시작함

위의 옵션을 사용하여 bandit6에서 검색을 해보겠습니다.

bandit6@bandit:~$ find / -type f -size 33c -user bandit7 -group bandit6
find: ‘/drifter/drifter14_src/axTLS’: Permission denied
find: ‘/root’: Permission denied
find: ‘/snap’: Permission denied
find: ‘/tmp’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/proc/220653/task/220653/fdinfo/6’: No such file or directory
find: ‘/proc/220653/fdinfo/5’: No such file or directory
find: ‘/home/bandit31-git’: Permission denied
find: ‘/home/ubuntu’: Permission denied
find: ‘/home/bandit5/inhere’: Permission denied
find: ‘/home/bandit30-git’: Permission denied
find: ‘/home/drifter8/chroot’: Permission denied
find: ‘/home/drifter6/data’: Permission denied
find: ‘/home/bandit29-git’: Permission denied
find: ‘/home/bandit28-git’: Permission denied
find: ‘/home/bandit27-git’: Permission denied
find: ‘/lost+found’: Permission denied
find: ‘/etc/polkit-1/rules.d’: Permission denied
find: ‘/etc/multipath’: Permission denied
find: ‘/etc/stunnel’: Permission denied
find: ‘/etc/xinetd.d’: Permission denied
find: ‘/etc/credstore.encrypted’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/etc/sudoers.d’: Permission denied
find: ‘/etc/credstore’: Permission denied
find: ‘/dev/shm’: Permission denied
find: ‘/dev/mqueue’: Permission denied
find: ‘/var/log/amazon’: Permission denied
find: ‘/var/log/unattended-upgrades’: Permission denied
find: ‘/var/log/chrony’: Permission denied
find: ‘/var/log/private’: Permission denied
find: ‘/var/tmp’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/spool/bandit24’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/cache/ldconfig’: Permission denied
find: ‘/var/cache/apt/archives/partial’: Permission denied
find: ‘/var/cache/pollinate’: Permission denied
find: ‘/var/cache/private’: Permission denied
find: ‘/var/cache/apparmor/2425d902.0’: Permission denied
find: ‘/var/cache/apparmor/baad73a1.0’: Permission denied
find: ‘/var/lib/polkit-1’: Permission denied
find: ‘/var/lib/amazon’: Permission denied
/var/lib/dpkg/info/bandit7.password
find: ‘/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/chrony’: Permission denied
find: ‘/var/lib/snapd/void’: Permission denied
find: ‘/var/lib/snapd/cookie’: Permission denied
find: ‘/var/lib/private’: Permission denied
find: ‘/var/lib/ubuntu-advantage/apt-esm/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/update-notifier/package-data-downloads/partial’: Permission denied
find: ‘/var/lib/udisks2’: Permission denied
find: ‘/var/crash’: Permission denied
find: ‘/boot/efi’: Permission denied
find: ‘/boot/lost+found’: Permission denied
find: ‘/sys/kernel/tracing’: Permission denied
find: ‘/sys/kernel/debug’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/sys/fs/bpf’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
find: ‘/run/systemd/inaccessible/dir’: Permission denied
find: ‘/run/systemd/propagate/systemd-udevd.service’: Permission denied
find: ‘/run/systemd/propagate/systemd-resolved.service’: Permission denied
find: ‘/run/systemd/propagate/systemd-networkd.service’: Permission denied
find: ‘/run/systemd/propagate/irqbalance.service’: Permission denied
find: ‘/run/systemd/propagate/systemd-logind.service’: Permission denied
find: ‘/run/systemd/propagate/chrony.service’: Permission denied
find: ‘/run/systemd/propagate/polkit.service’: Permission denied
find: ‘/run/systemd/propagate/ModemManager.service’: Permission denied
find: ‘/run/lvm’: Permission denied
find: ‘/run/log/journal/ec2dd69f90c4a6285216f71caca9bbca’: Permission denied
find: ‘/run/cryptsetup’: Permission denied
find: ‘/run/multipath’: Permission denied
find: ‘/run/screen/S-bandit18’: Permission denied
find: ‘/run/sudo’: Permission denied
find: ‘/run/user/11003’: Permission denied
find: ‘/run/user/11027’: Permission denied
find: ‘/run/user/11001’: Permission denied
find: ‘/run/user/11005’: Permission denied
find: ‘/run/user/11012’: Permission denied
find: ‘/run/user/11013’: Permission denied
find: ‘/run/user/11015’: Permission denied
find: ‘/run/user/11000’: Permission denied
find: ‘/run/user/11006/systemd/inaccessible/dir’: Permission denied
find: ‘/run/user/11016’: Permission denied
find: ‘/run/user/11004’: Permission denied
find: ‘/run/user/11009’: Permission denied
find: ‘/run/user/11014’: Permission denied
find: ‘/run/user/11002’: Permission denied
find: ‘/run/user/11008’: Permission denied
find: ‘/run/user/11010’: Permission denied
find: ‘/run/user/11025’: Permission denied
find: ‘/run/user/11017’: Permission denied
find: ‘/run/user/11007’: Permission denied
find: ‘/run/user/11020’: Permission denied
find: ‘/run/user/11011’: Permission denied
find: ‘/run/user/8003’: Permission denied
find: ‘/run/user/11023’: Permission denied
find: ‘/run/user/11024’: Permission denied
find: ‘/run/user/11026’: Permission denied
find: ‘/run/user/11030’: Permission denied
find: ‘/run/user/8004’: Permission denied
find: ‘/run/user/11019’: Permission denied
find: ‘/run/user/11021’: Permission denied
find: ‘/run/user/11031’: Permission denied
find: ‘/run/user/11022’: Permission denied
find: ‘/run/user/11018’: Permission denied
find: ‘/run/chrony’: Permission denied
find: ‘/run/udisks2’: Permission denied

... 상당히 많은 출력이 나오네요.
찾아보니 /(루트 디렉토리)에서 부터 검색을 시작하면 모든 파일과 디렉토리를 둘러봅니다. 그 과정에서 일반 사용자가 접근할 수 없는 파일이나 디렉토리가 있기 때문에 저런 오류 메시지가 출력된다고 합니다!

이 오류 메시지를 없애기 위해서는 '2>/dev/null'을 추가하면 됩니다.

2>/dev/null란?

  • 리눅스에서는 프로그램 실행 결과가 두 가지 종류로 나뉨
  • 표준 출력: 정상적인 출력 결과(기본 번호 1로 표시)
  • 표준 에러: 오류 메시지(기본 번호 2로 표시)
  • 표준 에러 메시지를 /dev/null로 리다이렉션 시키는데, 여기서 /dev/null은
    모든 데이터를 버리는 가상의 파일로 '휴지통'이라고 생각하면 됨!

이를 참고하여 명렁어를 다시 입력해 보면 비밀번호가 작성된 파일을 찾을 수 있습니다.

bandit6@bandit:~$ find / -type f -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj

비밀번호 찾기 성공 :)

profile
moon_security
모의해킹 & 보안 공부 기록 블로그
이전 포스트

[overthewire] Bandit Level 5 → Level 6

다음 포스트

[overthewire] Bandit Level 7 → Level 8

1개의 댓글

comment-user-thumbnail
Fighting314
2025년 2월 27일

출력이 정말 많군뇨!!

답글 달기