Bandit - Going to Level 13

2 November 2017

Goal

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

Getting the information

This is going to take a while. First lets create our work environmnent. We copy data.txt in our temporary directory and call it data.dump.

bandit12@melinda:~$ mkdir /tmp/bck
bandit12@melinda:~$ cp data.txt /tmp/bck/data.dump
bandit12@melinda:~$ cd /tmp/bck

Then we reverse the hexdump and observe it.

bandit12@melinda:/tmp/bck$ xxd −r data.dump data1
bandit12@melinda:/tmp/bck$ xxd data1 | head −n 5
0000000: 1f8b 0808 34da 6554 0203 6461 7461 322e ....4.eT..data2.
0000010: 6269 6e00 013f 02c0 fd42 5a68 3931 4159 bin..?...BZh91AY
0000020: 2653 5982 c194 8a00 0019 ffff dbfb adfb &SY.............
0000030: bbab b7d7 ffea ffcd fff7 bfbf 1feb eff9 ................
0000040: faab 9fbf fef2 fefb bebf ffff b001 3b18 ..............;.

We can see that the file starts with the magic bytes 0x1f 0x8b 0x08 0x08 which means that we are dealing with a Gzip file. Before extracting the contents we need to rename the file to data1.gz. Otherwise Gzip will just ignore the command.

bandit12@melinda:/tmp/bck$ mv data1 data2.gz
bandit12@melinda:/tmp/bck$ gzip −d data2.gz

We now have a file named data2. Lets take a deeper look into it.

bandit12@melinda:/tmp/bck$ xxd data2 | head −n 5
0000000: 425a 6839 3141 5926 5359 82c1 948a 0000 BZh91AY&SY......
0000010: 19ff ffdb fbad fbbb abb7 d7ff eaff cdff ................
0000020: f7bf bf1f ebef f9fa ab9f bffe f2fe fbbe ................
0000030: bfff ffb0 013b 1864 0000 1ea0 001a 0064 .....;.d.......d
0000040: 680d 01a0 64d0 000d 0000 3400 c9a3 2000 h...d.....4... .

Since it starts with BZ, we can safely say that this is a Bzip2 file. Actually we can even see that we had this line before uncompressing the file (see xxd data1).

We extract the compressed file with the bzip2 command. The output file is named data2.out. We rename it to data3.

bandit12@melinda:/tmp/bck$ bzip2 −d data2
bzip2: Can’t guess original name for data2 −− using data2.out
bandit12@melinda:/tmp/bck$ mv data2.out data3

After doing a hexdump of data3, here is what we have:

bandit12@melinda:/tmp/bck$ xxd data3 | head −n 5
0000000: 1f8b 0808 34da 6554 0203 6461 7461 342e ....4.eT..data4.
0000010: 6269 6e00 edd1 4d48 1471 18c7 f13f 526a bin...MH.q...?Rj
0000020: 86b2 6017 0b64 5456 4d42 6676 6716 c2c4 ..‘..dTVMBfvg...
0000030: 317c 1941 5149 85b5 0877 dd60 f7a0 a2ad 1|.AQI...w.‘....
0000040: 76f0 320a 82e1 29c8 43a1 a0ee 41f0 22a2 v.2...).C...A.".

We extract with Gzip.

bandit12@melinda:/tmp/bck$ mv data3 data4.gz
bandit12@melinda:/tmp/bck$ gzip −d data4.gz
bandit12@melinda:/tmp/bck$ ls
data.dump data1 data2 data4

Hexdump of data4

bandit12@melinda:/tmp/bck$ xxd data4 | head −n
0000000: 6461 7461 352e 6269 6e00 0000 0000 0000
0000010: 0000 0000 0000 0000 0000 0000 0000 0000
0000020: 0000 0000 0000 0000 0000 0000 0000 0000
0000030: 0000 0000 0000 0000 0000 0000 0000 0000
0000040: 0000 0000 0000 0000 0000 0000 0000 0000
5
data5.bin.......
................
................
................
................

Wow, much zeros, such information! I have no idea what this is. So I’ll just try the usual command (tar).

bandit12@melinda:/tmp/bck$ tar xvf data4
data5.bin

We got data5.bin.

bandit12@melinda:/tmp/bck$ tar xvf data4
data5.bin

Fast forward

bandit12@melinda:/tmp/bck$ bzip2 −d data6.bin
bzip2: Can’t guess original name for data6.bin −− using data6.bin.out
bandit12@melinda:/tmp/bck$ tar xvf data6.bin.out
data8.bin
bandit12@melinda:/tmp/bck$ mv data8.bin data8.gz
bandit12@melinda:/tmp/bck$ gzip −d data8.gz
bandit12@melinda:/tmp/bck$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL