OverTheWire Bandit Write Up – Level 12

With level 11 not taking too much time to complete, is was inevitable (like Thanos) that bandit level 12 would not be the same. If you haven’t had a chance to read my OverTheWire Bandit Write Up – Level 11 write up, give it a quick read then head back over here. And if you haven’t guessed already, yes I am a Marvel fan! Anyway let’s go.

Level 12

This level is once again using a data.txt file to store the password for the next level. However, the password has been compressed repeatedly and then the output of that has been pushed through a hexdump. During the processing of this file I will need to create multiple output files, because of this I can create my own directory in the /tmp directory. This is recommended as many users may be accessing the bandit level 12 system simultaneously. So let’s begin.

Let’s Start Hacking Then

So it’s that time again, I spin up a fresh terminal and initiate the SSH connection to the machine.

ssh bandit12@bandit.labs.overthewire.org -p 2220

Again, I am prompted for the password for the user and no surprise (okay just a little) the password I got from the last level worked, and I’m in. Everyone I write that line I can’t help but think of the Tron quote

…and then, one day, I got in!

So I need to first take a look around and see if I’ve got everything I need in the bandit level 12 users home directory. I run the ls command and can see I have the data.txt file I need to start with. It’s always worth a look at the file before I begin, so I run the following command, just to have a look.

cat ./data.txt

This is the file I need as the output is indeed a hexdump. I can now get started ‘properly’. Looking back at the level description I will need to make my own copy of the file before I start to manipulate it, and in order to do that I will need my own directory to play in. To keep my directory setup I run the following command.

mkdir /tmp/jrlbyrne

Next I need to create a copy of the data.txt in my directory, and do so with the following.

cp ./data.txt /tmp/jrlbyrne

So I have my own directory, and a copy of the file to start playing with. All that’s left to do before I can start to do anything with the file is to move into that directory.

cd /tmp/jrlbyrne

It’s now time to actually start processing the file to get the password. The first thing I need to do is reverse the hexdump. Looking at the man page of the xxd command I know that I can use it to either make or reverse a hexdump. I need to reverse it, so I run the following and put the output into a new 1.txt file.

xxd -r ./data.txt > 1.txt

I know have a reversed hexdump of the file that should be compressed, so I will need to uncompress the file before I can get the password. However, I need to find how the files been compressed first.

file ./1.txt

Tells me that the file is gzip compressed data. Looking at the man page for gzip I see that the file first needs to have a .gz file extension. So I need to rename the file before I can uncompress

mv ./1.txt ./1.gz

The file is now ready to be uncompressed. I run the following.

gzip -d ./1.gz

I need to check what files I know have in the directory, using the ls command I can see that the 1.gz file has gone and I am left with a 1 file. So I need to find out what type of file it is first, like previously.

file ./1

From this I find out that the file is bzip2 compressed data. I need to use bzip2 to uncompress that file. However before I go on the file itself was compressed many times, and to prevent you from having to read the same sentence over and over again. I have put all the commands I ran in one big code block.

$ bzip2 -d ./1
$ file ./1.out
gzip compressed data
$ mv ./1.out ./1.gz
$ file ./1
POSIX tar archive
$ mv ./1 ./1.tar.gz
$ tar -xvf ./1.tar.gz
$ file ./data5.bin
POSIX tar archive
$ mv ./data5.bin ./data5.tar.gz
$ tar -xvf ./data5.tar.gz
$ file ./data6.bin
bzip2 compressed data
$ bzip2 -d ./data6.bin
$ file ./data6.bin.out
POSIX tar archive
$ mv ./data6.bin.out ./data6.tar.gz
$ tar -xvf ./data6.tar.gz
$ file ./data8.bin
gzip compressed data
$ mv ./data8.bin ./data8.gz
$ gzip -d ./data8.gz
$ file ./data8
ASCII text

That’s it, the file is no longer compressed and I should now be able to get the password, I run the following.

cat ./data8

…and Wham! Bam! Thank you ma’am! I have the password now for level 13.

I have hidden the password here, if you are playing along don’t peek! Please! It’s more fun getting it yourself.