THM Write-up: The FIND Command

Below is my (very first) write-up while working through the room: The find command —
https://tryhackme.com/room/thefindcommand

What does Find do?
This command is useful for asking the system to search for a specific item or pattern of text, ideally a Linux environment.

Firstly you tell the system to find something;
secondly you tell it where to look;
and finally, you tell it what to look for.

You don’t need to specify when you’re looking in your working directory.
Also, you can use wildcards (*) as well, in specifying both a directory and a name.

The basic command syntax is:
find <desired directory> <flags, as needed> <specific text or string in file>

Simple enough, right?

I highly suggest attempting to work through this room as best as you can before continuing to read below. Reading the questions slowly and breaking them apart should give a general idea of what you need for each one. Thankfully, you can also reset your progress in this room and try again at a later time if you need more practice.

Task 1 — Start Finding

This task is straight-forward. You will open a terminal and create two files to test the command using touch <filename1> <filename2>.

The second command find file* runs a wildcard search in the current working directory for any file including “file” in the name (you can verify this through the command: pwd).

The third command find *1 is like the previous command, but searches for any files with “1” instead of “file” in their name.

Note the wildcard location: its placement indicates what part of the file name can be anything.

Task 2 — Be More Specific

This section will introduce the use of flags and how to search in other directories. Recall that the entire list of flags can be reviewed via find --help. The main flags to keep in mind are:

-type f (specifies search for files only)
-type d (specifies search for directories only)
-name “<string value>” (searches for a specific word or string in the name)

…and do not forget wildcards!

1 — Find all files whose name ends with “.xml”

  • find / -type f -name “*.xml”

This command will search ALL directories (based on the standalone /) for files only, with the specified extension type (given the wildcard * placement before the .xml extension). The file name should be in quotes.

2 — Find all files in the /home directory whose name is “user.txt”

  • find /home -type f -name user.txt

This command is searching the home directory exclusively for files named “user.txt”.

3 — Find all directories whose name contains the word “exploits”

  • find / -type d -name “*exploits*”

The wildcards (*) placed before and after the term “exploits” allows for the search to return files including any characters or numbers before and/or after this specified word.

Task 3 — Know exactly what you’re looking for

More flags! This section will use the previous task’s flags, and some new ones:

-user <username>
-size <size# value (c=byte, k=kb, M=Mb, etc.)>
E.g. -size 256K
-perm <
octal or symbolic value>
-xmin, -xtime
(where x =
a for last accessed, m for last modified, or c for status changed)

I recommend reviewing chmod values for the -perm flag, but the easy way to remember is that there are three binary values under each membership (user, group, and other) that total to the octal number 7 (if this is a new concept, think of it as a point system… for a binary of 1, add the following octal value depending on the category: read = 4, write = 2, and execute = 1. They are always in that order, as seen in the example below).

Example Breakdown: Looking at the User (u), there is a 1 in the binary section for read and write. Read evaluates to the octal 4, write to 2, and execute to 0. Added together, 6 is the octal total. For Group (g), the octal is 4, which we can break down by subtracting. Since read = 4 octal, this indicates that this permission is the only one enabled.

1 — Find all files owned by the user “kittycat”

  • find / -type f -user kittycat

2 — Find all files that are exactly 150 bytes in size

  • find / -type f -size 150c

Recall that c represents bytes.

3 — Find all files in the /home directory (recursive) with size less than 2 KiB’s and extension “.txt”

  • find /home -type f -size -2k -name “*.txt”

-2k requests a file size less than 2kb, while +2k would request for file sizes greater than 2kb.

4 — Find all files that are exactly readable and writeable by the owner, and readable by everyone else

  • find / -type f -perm 644

Recall the chmod rules and calculate the octal values via addition.
(read = 4, write = 2, execute = 1)

5 — Find all files that are only readable by anyone

  • find / -type f -perm /444

The prefix “/” or “-” added before the octal value tells this command to search for files including — but not limited to — the requested permission.

6 — Find all files with write permission for the group “others”, regardless of any other permissions, with extension “.sh”

  • find / -type f -perm o=w -name “*.sh”

The permission is stating the owner must at least have the write permission.

7 — Find all files in the /usr/bin directory that are owned by root and have at least the SUID permission

  • find /usr/bin -type -f -user root -perm -u=s

Since root is the user, we just need to specify the user permission to include SUID (represented by “s”).

8 — Find all files that were not accessed in the last 10 days with extension “.png”

  • find / -type f -atime -10 -name “*.png”

Recall the three prefixes that can be used before min and time (days). The value “a” requests to search for files with the last access period to be at least 10 days ago.

9 — Find all files in the /usr/bin directory that have been modified within the last 2 hours
Note: possible trick question? The value will need to be in minutes, not hours.

  • find /usr/bin -type f -mmin -120

Task 4 — Have you found it?

Last explanation here, for the redirection operator, you can request find to output its results into a file of your choice. This is great for logging and reporting.

You only need to read the last bit of information and then click on ‘complete’. Nicely done!

Upcoming infosec professional with a passion for learning and reading all things computers, gaming, art, and cats. https://tryhackme.com/p/awildespurr