Introduction

Some people skip rooms like this because they feel repetitive, but these are real skills used by SOC analysts and Linux admins daily. Ninja Skills focuses on Linux file enumeration and investigation using common commands.

The room provides the following files to investigate:

8V2L
bny0
c4ZX...

I used SSH instead of the AttackBox because the terminal was more stable and responsive.

ssh new-user@<ip>
Username: new-user
Password: new-user

Question 1

The first question asks which of the provided files are owned by the best-group group.

To solve this, I used the find command to search the Linux filesystem and filter files that belong to the best-group group.

find / -type f \( -name "8V2L" -o -name "bny0" -o -name "c4ZX" -o -name "D8B3" -o -name "FHl1" -o -name "oiMO" -o -name "PFbD" -o -name "rmfX" -o -name "SRSq" -o -name "uqyw" -o -name "v2Vb" -o -name "X1Uy" \) -group best-group 2>/dev/null

Command Breakdown

• find / → Starts searching from the root (/) directory across the whole Linux system.
• -type f → Tells find to search only for files, not directories.
• -name → Matches specific filenames provided in the room/task.
• -o → Means OR, allowing multiple filenames or conditions in one command.
• -group best-group → Filters and shows only files that belong to the best-group group.
• 2>/dev/null → Hides permission denied and unnecessary error messages to keep output clean.

The output returned:

/mnt/D8B3
/home/v2Vb

This confirmed that the files D8B3 and v2Vb are owned by the best-group group.

Final Answer:

D8B3 v2Vb

Question 2

The second question asks which file contains an IP address.

find / -type f \( -name "8V2L" -o -name "bny0" -o -name "c4ZX" -o -name "D8B3" -o -name "FHl1" -o -name "oiMO" -o -name "PFbD" -o -name "rmfX" -o -name "SRSq" -o -name "uqyw" -o -name "v2Vb" -o -name "X1Uy" \) -exec grep -lE '([0-9]{1,3}\.){3}[0-9]{1,3}' {} \; 2>/dev/null

Command Breakdown

• find / → Searches the entire Linux system starting from the root (/) directory.
• -type f → Limits the search to files only.
• -name → Matches the filenames specified in the command.
• -exec → Executes a command on every file that find discovers.
• grep → Searches for specific text or patterns inside files.
• -l → Displays only the filename where a match is found, not the matching content itself.
• -E → Enables extended regular expressions for advanced pattern matching.
• ([0-9]{1,3}\.){3}[0-9]{1,3} → Regular expression used to identify IPv4 addresses like 192.168.1.1.
• 2>/dev/null → Suppresses permission denied and other unnecessary error messages.

The command returned:

/opt/oiMO

This confirmed that the file oiMO contains an IP address.

Final Answer:

oiMO

Question 3

The third question asks which file matches the given SHA1 hash.

To solve this, I generated the SHA1 hash for each target file and compared the results with the hash provided in the question.

find / -type f \( -name "8V2L" -o -name "bny0" -o -name "c4ZX" -o -name "D8B3" -o -name "FHl1" -o -name "oiMO" -o -name "PFbD" -o -name "rmfX" -o -name "SRSq" -o -name "uqyw" -o -name "v2Vb" -o -name "X1Uy" \) -exec sha1sum {} \; 2>/dev/null

Command Breakdown

• find / → Searches the entire filesystem starting from the root (/) directory.
• -type f → Restricts the search to files only.
• -name → Matches the filenames provided in the command.
• -exec sha1sum → Runs the sha1sum command to generate a SHA1 hash for each discovered file.
• {} → Placeholder representing the current file found by find.
• \; → Terminates the -exec command syntax.
• 2>/dev/null → Hides permission denied and unnecessary error messages from the output.

The output returned:

9d54da7584015647ba052173b84d45e8007eba94  /mnt/c4ZX

This confirmed that the file c4ZX matches the given SHA1 hash.

Final Answer:

c4ZX

Question 4

The fourth question asks which file contains exactly 230 lines.

To solve this, I used the wc -l command together with find to count the number of lines in each target file automatically.

find / \( -name "8V2L" -o -name "bny0" -o -name "c4ZX" -o -name "D8B3" -o -name "FHl1" -o -name "oiMO" -o -name "PFbD" -o -name "rmfX" -o -name "SRSq" -o -name "uqyw" -o -name "v2Vb" -o -name "X1Uy" \) -exec wc -l {} \; 2>/dev/null

Command Breakdown

• find / → Searches the entire filesystem starting from the root (/) directory.
• -name → Matches the filenames specified in the command.
• -exec wc -l → Executes the line count command on every matching file.
• wc -l → Counts the total number of lines inside a file.
• 2>/dev/null → Suppresses permission denied and unnecessary error messages.

The file bny0 did not appear in the output, which made the question confusing at first.

The output only displayed the remaining files and their line counts:

209 /mnt/D8B3
209 /mnt/c4ZX
209 /var/FHl1
209 /var/log/uqyw
209 /opt/PFbD
209 /opt/oiMO
209 /media/rmfX
209 /etc/8V2L
209 /etc/ssh/SRSq
209 /home/v2Vb
209 /X1Uy

Since bny0 was missing from the results, it was the correct answer.

Final Answer:

bny0

Question 5

The fifth question asks which file is owned by a user with the UID 502.

In Linux, every user has a numeric User ID, also known as a UID. File ownership information can be viewed using the ls -ln command.

To identify the correct file, I used the following command:

find / -type f \( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \) -exec ls -ln {} \; 2>>/dev/null

Command Breakdown

• find / → Searches the entire filesystem starting from the root (/) directory.
• -type f → Restricts the search to files only.
• -name → Matches the filenames specified in the command.
• -exec ls -ln → Executes ls in long listing mode and displays numeric user ID (UID) and group ID (GID) information for each file.
• ls -l → Shows detailed file information such as permissions, owner, size and modification date.
• -n → Displays numeric UID and GID values instead of usernames and group names.
• 2>>/dev/null → Suppresses permission denied and unnecessary error messages from appearing in the terminal.

The output returned:

-rw-rw-r-- 1 502 501 13545 Oct 23 2019 /X1Uy

Here, 502 represents the owner UID of the file.

This confirmed that the file X1Uy is owned by a user with the ID 502.

Final Answer:

X1Uy

Question 6

The final question asks which file is executable by everyone.

In Linux, file permissions are displayed using symbols such as:

rwxrwxr-x

Where:

SymbolMeaningrReadwWritexExecute

To check the permissions of all target files, I used the following command:

find / -type f \( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \) -exec ls -ln {} \; 2>>/dev/null

Command Breakdown

• find / → Searches the entire filesystem starting from the root (/) directory.
• -type f → Restricts the search to files only.
• -name → Matches the filenames specified in the command.
• -exec ls -ln → Runs the ls command in detailed mode to display file permissions and ownership information.
• ls -l → Shows detailed file metadata such as permissions, owner, size, and modification date.
• -n → Displays numeric user IDs (UID) and group IDs (GID) instead of usernames and group names.
• 2>>/dev/null → Hides permission denied and unnecessary error messages from the output.

The output returned:

-rwxrwxr-x 1 501 501 13545 Oct 23 2019 /etc/8V2L

The permission string rwxrwxr-x shows that the file has execute permissions enabled.

This confirmed that the file 8V2L is executable by everyone.

Final Answer:

8V2L

Thanks for reading.