otw

OTW - Bandit Level 3 to Level 4

You will learn about hidden files in Linux, how they differ from Windows, and why files starting with a dot are hidden due to an early ls bug. These files can be revealed with special flags, and every directory also contains entries for the current and parent location.

Gurkirat Singh

22 Aug 2025 • 5 min read

Photo by Amirhossein Hasani / Unsplash

Hello, World! So far, you've learnt how to list files in the current directory and read their contents and it was all visible file. How would you know, I was using the -a flag the entire time. After reading through this post you will learn about why brain is now wired to use ls -la.

Also, I realised from my last two posts that they didn't contain much information, just a basic introduction and a direct jump to the solution. I will try to resolve this issue by providing some background and history on hidden files in Linux.

Hidden Files in Linux

If you are coming from Windows (like me), then you might have had "some important stuff" that you need to save to the computer and hide it from your siblings, you open the properties of the file directory, check Hidden and save it.

This won't show in the file explorer normally unless you enable it from the folder options or use special flag with dir command in the command prompt.

A hidden file (or directory) is a normal directory entry that is made invisible by the directory enumeration function and becomes visible only when a special flag is passed to it. In Windows, special flag is set which can be retrieved from the dwFileAttributes field of the BY_HANDLE_FILE_INFORMATION structure, whereas in POSIX operating systems such as Unix, Linux, and others, file names beginning with dot are considered hidden.

Why are Dot-files Hidden?

I see you are intrigued, but it was more of a disappointment for me to learn that this was caused by a bug introduced earlier when the ls command was written to hide the current directory (.) and parent double-dot (..), the authors checked if the file name began with a dot and simply ignored it unless the -a flag was set, which set ignore_mode to IGNORE_MINIMAL.

The command uses the libc readdir(3) function to enumerate through the files in the (everything is file, even a directory), making no distinction between any of them.

Solution

The challenge description on the Bandit page is self-explanatory.

The password for the next level is stored in a hidden file in the inhere directory.

When you list all of the files, you will not see any files but the inhere directory, which is distinguished by a different colour than the other files.

Do not rely on colours, as they are controlled by dircolor. I used to do that, but then realised it's not always the case. Check the d flag in the first column. Normal files, such as .bash_logout, will show hyphen/dash (-).

You can't just "cat" a directory, it must be a normal file. So, how does one read a file from a different directory? It's fairly simple. Arguments in Linux that require a file path can accept either an absolute or relative path. If you do not begin with /, it is an relative path that start locating the file from the current working directory.

The command ls -la inhere/ lists all files (-a) in the list format (-l) in the inhere directory, assuming the directory exists in the current working directory (home directory ~). Once you've located the file, similar to ls, you can pass the path to the file and, booyah!, you will get the password for the next level.

If you look at the screenshot carefully, you'll notice that I used two ways to refer inhere directory: ls -la inhere/ and cat ./inhere/...Hiding-From-You. This is to show you that both methods are possible when accessing paths from current directory.

Using inhere/ works as a relative path from the current directory, while ./inhere explicitly enforces that the inhere directory is in the current working directory.

You will also notice two special entries in every directory: