Try Hack Me — Find Command — Write Up

This is a write up for the room: Find Command which is available for free on Try Hack Me: https://tryhackme.com/room/thefindcommand

This tutorial will help you understand how to use the find command effectively in a CTF context. It is written in a way that you won’t have to refer to the man page to complete it, although I recommend the man page for further reading.

Firstly you tell the system to find something; secondly you tell it where to look; and finally, you tell it what to look for.

These commands are useful when you want to specify only part of the name of what you’re looking for.

Start Finding :

Be More Specific:

#1 Find all files whose name ends with ".xml"

Ans: find / -type f -name “*.xml”

#2 Find all files in the /home directory (recursive) whose name is “user.txt”

Ans: find /home -type f -iname user.txt

#3 Find all directories whose name contains the word “exploits”

Ans: find / -type d -name “*exploits*”

Read the explanation before every task for better help.

Know Exactly What You Are Looking For:

#1 Find all files owned by the user “kittycat”

Ans: find / -type f -user kittycat

#2 Find all files that are exactly 150 bytes in size

Ans: find / -type f -size 150c

#3 Find all files in the /home directory (recursive) with size less than 2 KiB’s and extension “.txt”

Ans: find /home -type f -size -2k -name “*.txt”

#4 Find all files that are exactly readable and writeable by the owner, and readable by everyone else (use octal format)

Ans: find / -type f -perm 644

#5 Find all files that are only readable by anyone (use octal format)

Ans: find / -type f -perm /444

#6 Find all files with write permission for the group “others”, regardless of any other permissions, with extension “.sh” (use symbolic format)

Ans: find / -type f -perm -o=w -name “*.sh”

#7 Find all files in the /usr/bin directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format)

Ans: find /usr/bin -type f -user root -perm -u=s

#8 Find all files that were not accessed in the last 10 days with extension “.png”

Ans: find / -type f -atime +10 -name “*.png”

#9 Find all files in the /usr/bin directory (recursive) that have been modified within the last 2 hours

Ans: find /usr/bin -type f -mmin -120

Have You Found It:

To conclude this tutorial, there are two more things that you should know of. The first is that you can use the redirection operator > with the find command. You can save the results of the search to a file, and more importantly, you can suppress the output of any possible errors to make the output more readable. This is done by appending 2> /dev/null to your command. This way, you won’t see any results you’re not allowed to access.

The second thing is the -exec flag. You can use it in your find command to execute a new command, following the -exec flag, like so: -exec whoami \;. The possibilities enabled by this option are beyond the scope of this tutorial, but most notably it can be used for privilege escalation.

For any queries contact on my twitter and linkedin profiles -

https://twitter.com/loveleshgangil

DFIR | ICSI (CNSS)