With level 11 not taking too much time to complete, is was inevitable (like Thanos) that bandit level 12 would not be the same. If you haven’t had a chance to read my OverTheWire Bandit Write Up – Level 11 write up, give it a quick read then head back over here. And if you haven’t guessed already, yes I am a Marvel fan! Anyway let’s go.
Level 12
This level is once again using a data.txt file to store the password for the next level. However, the password has been compressed repeatedly and then the output of that has been pushed through a hexdump. During the processing of this file I will need to create multiple output files, because of this I can create my own directory in the /tmp directory. This is recommended as many users may be accessing the bandit level 12 system simultaneously. So let’s begin.
Let’s Start Hacking Then
So it’s that time again, I spin up a fresh terminal and initiate the SSH connection to the machine.
ssh bandit12@bandit.labs.overthewire.org -p 2220
Again, I am prompted for the password for the user and no surprise (okay just a little) the password I got from the last level worked, and I’m in. Everyone I write that line I can’t help but think of the Tron quote
…and then, one day, I got in!
So I need to first take a look around and see if I’ve got everything I need in the bandit level 12 users home directory. I run the ls command and can see I have the data.txt file I need to start with. It’s always worth a look at the file before I begin, so I run the following command, just to have a look.
cat ./data.txt
This is the file I need as the output is indeed a hexdump. I can now get started ‘properly’. Looking back at the level description I will need to make my own copy of the file before I start to manipulate it, and in order to do that I will need my own directory to play in. To keep my directory setup I run the following command.
mkdir /tmp/jrlbyrne
Next I need to create a copy of the data.txt in my directory, and do so with the following.
cp ./data.txt /tmp/jrlbyrne
So I have my own directory, and a copy of the file to start playing with. All that’s left to do before I can start to do anything with the file is to move into that directory.
cd /tmp/jrlbyrne
It’s now time to actually start processing the file to get the password. The first thing I need to do is reverse the hexdump. Looking at the man page of the xxd command I know that I can use it to either make or reverse a hexdump. I need to reverse it, so I run the following and put the output into a new 1.txt file.
xxd -r ./data.txt > 1.txt
I know have a reversed hexdump of the file that should be compressed, so I will need to uncompress the file before I can get the password. However, I need to find how the files been compressed first.
file ./1.txt
Tells me that the file is gzip compressed data. Looking at the man page for gzip I see that the file first needs to have a .gz file extension. So I need to rename the file before I can uncompress
mv ./1.txt ./1.gz
The file is now ready to be uncompressed. I run the following.
gzip -d ./1.gz
I need to check what files I know have in the directory, using the ls command I can see that the 1.gz file has gone and I am left with a 1 file. So I need to find out what type of file it is first, like previously.
file ./1
From this I find out that the file is bzip2 compressed data. I need to use bzip2 to uncompress that file. However before I go on the file itself was compressed many times, and to prevent you from having to read the same sentence over and over again. I have put all the commands I ran in one big code block.
$ bzip2 -d ./1 $ file ./1.out gzip compressed data $ mv ./1.out ./1.gz $ file ./1 POSIX tar archive $ mv ./1 ./1.tar.gz $ tar -xvf ./1.tar.gz $ file ./data5.bin POSIX tar archive $ mv ./data5.bin ./data5.tar.gz $ tar -xvf ./data5.tar.gz $ file ./data6.bin bzip2 compressed data $ bzip2 -d ./data6.bin $ file ./data6.bin.out POSIX tar archive $ mv ./data6.bin.out ./data6.tar.gz $ tar -xvf ./data6.tar.gz $ file ./data8.bin gzip compressed data $ mv ./data8.bin ./data8.gz $ gzip -d ./data8.gz $ file ./data8 ASCII text
That’s it, the file is no longer compressed and I should now be able to get the password, I run the following.
cat ./data8
…and Wham! Bam! Thank you ma’am! I have the password now for level 13.
Level 12 Complete
I have hidden the password here, if you are playing along don’t peek! Please! It’s more fun getting it yourself.