Bash › File Operations
find and file operations as security tools
File operations sound mundane, but find in particular is a security power tool. Locating files by name, permission, modification time, or owner is how you surface SSH keys, world-writable scripts, recently-changed configs, and SUID binaries. This lesson is find and friends, aimed at finding the interesting things.
You'll learn to
- Search by name, type, permission, and time
- Act on the files you find
- Combine find with other tools
find by different criteria
# By name (and wildcard):
find / -name "id_rsa" 2>/dev/null
find /var/www -name "*.bak" 2>/dev/null
# By permission — world-writable files and SUID binaries:
find / -perm -002 -type f 2>/dev/null # writable by everyone
find / -perm -4000 -type f 2>/dev/null # SUID binaries
# By modification time — changed in the last day:
find /etc -mtime -1 2>/dev/null
# By owner:
find / -user root -name "*.sh" 2>/dev/null
Each criterion answers a security question: -name finds key files, -perm -4000 finds SUID privesc candidates, -perm -002 finds world-writable files you might hijack, -mtime finds recent changes worth investigating. The 2>/dev/null discards permission-denied noise.
Acting on what you find
# Run a command on each result with -exec:
find /var/www -name "*.php" -exec grep -l "password" {} \;
# Or pipe to other tools (xargs is faster for many files):
find / -name "*.conf" 2>/dev/null | xargs grep -l "secret" 2>/dev/null
-exec ... {} \; runs a command on each found file ({} is the filename). Piping to xargs does the same thing faster for large result sets. This is how you go from ‘find config files’ to ‘find config files containing secrets’.
Checkpoint
What does find / -perm -4000 -type f 2>/dev/null find, and why is it a key enumeration command?
It finds all SUID files — binaries with the set-user-ID bit, which run with their owner's privileges regardless of who launches them. When the owner is root, an abusable SUID binary is a path to root. It's a key enumeration command because it surfaces those privilege-escalation candidates instantly, and the 2>/dev/null discards the permission-denied noise so only the results show.
Try it yourself
On a system you control, use find to locate all .sh files owned by your user, then all files modified in the last day under your home directory. Then combine find with grep (via -exec or xargs) to find files containing a chosen keyword. Notice how each criterion narrows the search.
Key takeaways
- find searches by -name, -perm, -mtime, -user, -type and more.
- -perm -4000 finds SUID binaries; -perm -002 finds world-writable files.
- -exec or xargs acts on results — e.g. grep them for secrets.
- A few targeted finds are a Linux privilege-escalation checklist.
Quick quiz
Next, API recon — discovering endpoints, parameters, and schemas from the command line.