Using the find command with specific properties to locate a single file across dozens of directories and why filtering by file attributes is a core investigative skill.
Introduction
Day 6. Bandit Level 5 to Level 6. The previous level had ten files in one directory. This level has dozens of directories each containing multiple files. Manually checking every single one is not a realistic option. The answer is the find command used with precise filters to narrow the search down to exactly one result.
This level is where Linux starts to feel genuinely powerful. The find command can search an entire file system and filter results by size, type, permissions, ownership, timestamps and more. That combination makes it one of the most versatile tools available to any analyst working on a Linux system.
By the end of this article you will know how to construct a find command that matches files by multiple properties simultaneously and why that approach is essential when working with large, unfamiliar directory structures.
Level Objective
The password for Level 6 is stored somewhere inside the inhere directory in the home directory of bandit5. The file has three specific properties: it is human-readable, it is exactly 1033 bytes in size and it is not executable. Those three filters are enough to identify it uniquely among all the files in the directory tree.
Approach
I logged in using the password retrieved from Level 4 to Level 5:
ssh [email protected] -p 2220
The banner appeared and the prompt changed to bandit5@bandit:~$. I ran ls and found the inhere directory. I moved into it and ran ls -la:
cd inhere
ls -la
Twenty subdirectories. Each one named maybehere followed by a number. Opening each manually would have taken far too long.
I built a find command using the three properties given in the level description. The size filter uses c to specify bytes, the type filter limits results to regular files and the ! operator negates the executable filter:
find . -type f -size 1033c ! -executable
One result came back immediately. I read it directly using the path returned by find:
cat ./maybehere07/.file2
The password printed to the terminal.
Commands Used
# Connect to the Bandit server as bandit5 using the Level 5 password
ssh [email protected] -p 2220
# List the home directory to locate the inhere folder
ls
# Move into the inhere directory
cd inhere
# Check the directory structure
ls -la
# Find the file matching all three required properties
find . -type f -size 1033c ! -executable
# Read the file returned by the find command
cat ./maybehere07/.file2
Command Breakdown
find .
Starts the search from the current directory and works recursively through every subdirectory beneath it. The dot represents the current location.
-type f
Limits results to regular files only. This excludes directories, symbolic links and other special file types from the output.
-size 1033c
Filters for files that are exactly 1033 bytes in size. The c suffix tells find to measure in bytes. Without it, find defaults to 512-byte blocks which would return the wrong results.
! -executable
The ! operator negates the condition that follows it. This tells find to return only files that are not executable, excluding scripts, binaries and anything with execute permissions set.
-readable
An optional additional filter that explicitly matches files the current user has read permission on. Useful when narrowing results further in a large file system.
Lesson Learned
The main technical takeaway is that find is not just a search tool. It is a filtering engine. When you combine type, size and permission filters you can locate a specific file in a directory tree of any size in seconds. That capability does not diminish as the environment gets larger. It becomes more valuable.
What surprised me was how clean the output was. One command, one result. That precision felt like a significant step up from the previous levels. It also made me realise how much time analysts can waste when they do not know which tool to reach for. A manual search through twenty directories would have taken minutes. The find command took under a second.
Going forward, whenever I am looking for a file with known properties I will reach for find immediately rather than browsing directories manually. Properties like size, type and permissions are filters that exist precisely for this purpose.
• find . -type f -size 1033c — find files of a specific size in bytes from the current directory
• find . -type f ! -executable — find files that are not executable
• find . -type f -readable — find files the current user can read
• find . -name “*.log” — find files by name pattern
• find . -type f -newer /var/log/auth.log — find files modified more recently than a reference file
🔴 SOC Analyst Insight
In a real SOC investigation, find with property filters is used constantly during host triage. When an analyst suspects that a threat actor has dropped a tool or script onto a compromised machine, they rarely know the filename. What they often do know is the approximate size, whether it should be executable and which directories are commonly abused. That known profile is exactly what find is built to match against.
# Search for executable files dropped in world-writable directories in the last 24 hours
find /tmp /var/tmp /dev/shm -type f -executable -newer /var/log/syslog 2>/dev/null
The command above targets three directories that attackers commonly use to stage tools because they are writable by all users. Filtering by executable and recency means the output focuses on files that were placed there recently and are designed to be run. That is a tightly scoped search that takes seconds to run and can surface attacker tooling that a manual inspection would miss entirely.
This Bandit level teaches the mindset behind that command. Define the properties of what you are looking for and let find do the work. That approach scales from a home directory with twenty subdirectories all the way to an enterprise Linux host with millions of files.
Key Takeaway
The find command transforms a potentially overwhelming manual search into a precise, repeatable query. Knowing how to combine filters for file type, size and permissions means you can locate a specific file in any environment regardless of how large or unfamiliar it is. In security work where time and accuracy both matter, that ability is not a convenience. It is a core operational skill.
📅 30-Day Cybersecurity Learning Journey — Progress
✅ Day 0. — Setup & Series Introduction. | OverTheWire Bandit
✅ Day 1. — Bandit Level 0 → 1. | SSH
✅ Day 2. — Bandit Level 1 → 2. | Special characters
✅ Day 3. — Bandit Level 2 → 3. | Spaces in filenames
✅ Day 4. — Bandit Level 3 → 4. | Hidden files
✅ Day 5. — Bandit Level 4 → 5. | File types
✅ Day 6. — Bandit Level 5 → 6. | find with properties. ← today
⬜ Day 7. — Bandit Level 6 → 7. | coming next
Follow along with the series as I document each level, command and lesson learned.
When you know the properties of what you are looking for, the file system has nowhere left to hide it.
OverTheWire Bandit Walkthrough — Level 5 → 6 | 30-Day Cybersecurity Learning Journey (Day 6) was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.