The find command ~ THM Writeup
Irshad Ahamed
May 13, 2020·4 min read
I sincerely thanks the Tryhackme.com for creating such a platform for the cyber community!
This is a writeup for the room: The find command [https://tryhackme.com/room/thefindcommand]
To be precise, the ‘find’ command is used to search for files in a directory hierarchy, and as the necessary explanation is available there, we will look at the tasks.
Note: The tasks are easy to solve on sight, but only few questions needs explanation for beginners and you can find them so!
TASK -1 : ?
TASK -2 :
#1 Find all files whose name ends with “.xml”
Ans: find / -type f -name “*.xml”
#2 Find all files in the /home directory (recursive) whose name is “user.txt”
Ans: find /home -type f -iname user.txt
#3 Find all directories whose name contains the word “exploits”
Ans: find / -type d -name “*exploits*”
TASK -3:
#1 Find all files owned by the user “kittycat”
Ans: find / -type f -user kittycat
#2 Find all files that are exactly 150 bytes in size
Ans: find / -type f -size 150c
Explanation: To sort the files by size, one can use ‘-size’. The size number ‘150’ is suffixed by ‘c’ denotes “bytes”.
#3 Find all files in the /home directory (recursive) with size less than 2 KiB’s and extension “.txt”
Ans: find /home -type f -size -2k -name “*.txt”
Explanation: To sort by kilobytes, the size number is suffixed with ‘k’ and due to the condition “less than”, final size denoted as ‘-2k’. In the extension, ‘*’ denotes to find all the files that contains that name ‘.txt’.
#4 Find all files that are exactly readable and writeable by the owner, and readable by everyone else (use octal format)
Ans: find / -type f -perm 644
Explanation: To sort by file permissions, one can use ‘-perm’. The file permissions can be represented in either symbolic or octal format (i.e. u=r [or] 644 ). On further breaking down, the number ‘6’ denotes the OWNER & the rest denotes the USER GROUP & OTHER USERS.
#5 Find all files that are only readable by anyone (use octal format)
Ans: find / -type f -perm /444
Explanation: The ‘444' is prefixed by ‘/’, so that it will match files that are readable and writable by at least one of the groups (owner, group, or others).
#6 Find all files with write permission for the group “others”, regardless of any other permissions, with extension “.sh” (use symbolic format)
Ans: find / -type f -perm -o=w -name “*.sh”
#7 Find all files in the /usr/bin directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format)
Ans: find /usr/bin -type f -user root -perm -u=s
#8 Find all files that were not accessed in the last 10 days with extension “.png”
Ans: find / -type f -atime +10 -name “*.png”
Explanation: To filter the file by DAYs of ACCESSING, ‘time’ is used prefixed with ‘-a’. As the requirement is that the file should NOT be accessed in last ‘10’ days, the number ‘10’ is prefixed with ‘+’.
#9 Find all files in the /usr/bin directory (recursive) that have been modified within the last 2 hours
Ans: find /usr/bin -type f -mmin -120
Explanation: To filter the file by HOURs of MODIFICATION, ‘min’ is used prefixed with ‘-m’. As the requirement is that the file should have been MODIFIED within last two hours, the hours in minutes is taken prefixed with ‘-120’.
TASK -4:
2> /dev/null
The above flag is used with findcommand to neglect the unwanted error that are displayed in the terminal, making the output bit legible to view. This is helpful when the search surface is bit huge
-exec
The above flag is used to execute any defined action, after performing the ‘find’ operation. Remember the privilege escalation bug in sudo!!! ?
IF YOU FIND THIS ARTICLE USEFUL, MAKE A CLAP. I’ LL BE WRITING MORE USEFUL ARTICLES!