Access level

ssh bandit3@bandit.labs.overthewire.org -p 2220
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level goal

Read the password stored in a hidden file located in the inhere directory.

Explanation

The particularity of a hidden file and complication it can bring is that he may be hidden (no ? really ?). Let’s take a look:

bandit3@bandit:~/inhere$ ls
bandit3@bandit:~/inhere$

The directory looks empty. If we look into the man page of ls we see:

LS(1)                                               User Commands

NAME
       ls - list directory contents

SYNOPSIS
       ls [OPTION]... [FILE]...

DESCRIPTION
       List information about the FILEs (the current directory by default).  Sort entries alphabetically if none of -cftuvSUX nor --sort is specified.

       Mandatory arguments to long options are mandatory for short options too.

       -a, --all
              do not ignore entries starting with .

Those hidden files are characterized by a dot at the beginning of the filename.

Repeating the previous command with the -a option we got:

bandit3@bandit:~/inhere$ ls -a
.  ..  .hidden

Here is our file, we can now display the password.

Obviously the problem only occur when you try to list files of the directory without the option. The problem is avoided with the bash autocompletion which takes into account hidden files.

Finally we have:

bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB