Now while being logged in as the user bandit12, you need to find the password of user bandit13 in order to complete this level.
If you haven’t completed the previous level, do check out the write-up for Level 11 to Level 12, which is present here.
Follow these steps to proceed:
- This is one of the challenges that took a bit of time for me, so hold on and read through the write-up completely
- The password to crack this level is present inside the file
data.txtthat has been repeatedly compressed using different compression algorithms - If you check the contents of
data.txtusingless, you’ll get the following output:
00000000: 1f8b 0808 2817 ee68 0203 6461 7461 322e ....(..h..data2.
00000010: 6269 6e00 013c 02c3 fd42 5a68 3931 4159 bin..<...BZh91AY
00000020: 2653 59cc 46b5 2d00 0018 ffff da5f e6e3 &SY.F.-......_..
00000030: 9fcd f59d bc69 ddd7 f7ff a7e7 dbdd b59f .....i..........
00000040: fff7 cfdd ffbf bbdf ffff ff5e b001 3b58 ...........^..;X
00000050: 2406 8000 00d0 6834 6234 d000 6869 9000 $.....h4b4..hi..
00000060: 1a7a 8003 40d0 01a1 a006 8188 340d 1a68 .z..@.......4..h
00000070: d340 d189 e906 8f41 0346 4d94 40d1 91a0 .@.....A.FM.@...
00000080: 681a 0681 a068 0680 c400 3207 a269 a189 h....h....2..i..
...- This clearly shows that
data.txtcontains hex dump of the binary we are supposed to decompress, so first of all we need to convert it into actual binary. Since we cannot write in the home partition, we will have to use a temporary directory inside the/tmplocation - We can create a temporary directory for the same. Create a temporary directory by running the
mktempdirectory as follows:
mktemp -d- This will give you a random temporary directory, for my case it gave me the following output (yours could be different):
/tmp/tmp.nFX3gPeMhF- Now copy that
data.txtover to the directory as follows:
cp data.txt <TEMP_DIR>/hex_dump
- Now since this is just the hex dump, we need to convert it into the actual binary. Use the
xxdcommand to convert it back to binary as follows:
xxd -r hex_dump binary
- This will give you the binary named as
binary. - Now, analyse the binary just created. Its first 2 bytes are
1F 8Bwhich is the magic header forgzipcompressed file. You can have a look at other types of magic headers here. - A magic header is a set of first few bytes that identifies the file type. Almost every binary file has a unique magic header.
- Since we now know that it is a
gzipcompressed file, we can now decompress it. First, rename the file for clarity (and to allowgzipto identify it as a valid format):
mv binary binary.gz- Now, decompress it using
gzipas follows:
gzip -d binary.gz- This will result in the creation of another file named
binary, which is the result after decompression. - Analyse it using
xxd, which will give you the output as follows:
00000000: 425a 6839 3141 5926 5359 cc46 b52d 0000 BZh91AY&SY.F.-..
00000010: 18ff ffda 5fe6 e39f cdf5 9dbc 69dd d7f7 ...._.......i...
00000020: ffa7 e7db ddb5 9fff f7cf ddff bfbb dfff ................
00000030: ffff 5eb0 013b 5824 0680 0000 d068 3462 ..^..;X$.....h4b
00000040: 34d0 0068 6990 001a 7a80 0340 d001 a1a0 4..hi...z..@....
00000050: 0681 8834 0d1a 68d3 40d1 89e9 068f 4103 ...4..h.@.....A.
00000060: 464d 9440 d191 a068 1a06 81a0 6806 80c4 FM.@...h....h...
00000070: 0032 07a2 69a1 89a3 2680 00c8 00c8 1a18 .2..i...&.......
00000080: 8310 0000 d0c0 2343 11a0 3430 ca68 0006 ......#C..40.h..
...- This file has the magic header as
42 5A 68, indicating that it is abzip2compressed file. So, rename the file tobinary.bz2. - Then decompress the file by running the following command:
bzip2 -d binary.bz2was used to decompress it.
bzip2 -d binary.bz2- After decompression, we get the file named
binary, which we can analyse usingxxd. - Upon analysis, it gives the following dump:
00000000: 1f8b 0808 2817 ee68 0203 6461 7461 342e ....(..h..data4.
00000010: 6269 6e00 edd1 4f48 d371 18c7 f1af 5374 bin...OH.q....St
00000020: 8ab6 491e 4450 7e68 d854 94df 9fef 26e2 ..I.DP~h.T....&.
00000030: bfa9 1d9c 0d11 0c41 8360 f24b a688 cafa .......A.`.K....
00000040: 7530 50a7 6028 ba48 1491 8828 3c48 9e3a u0P.`(.H...(<H.:
00000050: 0811 7818 8a60 1044 8217 d183 372f 7954 ..x..`.D....7/yT
00000060: 506a cd8e 0a76 ca3f f07e 5d3e 0fcf f3dc Pj...v.?.~]>....
00000070: 3e66 c00a b8cb 3abb fbc4 ffa3 c679 a4fc >f....:......y..
00000080: 9b71 e752 9767 b3e6 56cb 0da9 19d2 1ddf .q.R.g..V.......
...- Well, we get the magic header
1F 8Bagain, indicating that it is agzipcompressed file - Therefore, let’s extract it accordingly:
mv binary binary.gz; gzip -d binary.gz- Here I’ve ran the rename command and the decompression command in a single line to save some time :)
- Now, we can again analyse the
binaryusingxxd, which gives the following output:
00000000: 6461 7461 352e 6269 6e00 0000 0000 0000 data5.bin.......
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060: 0000 0000 3030 3030 3634 3400 3030 3030 ....0000644.0000
00000070: 3030 3000 3030 3030 3030 3000 3030 3030 000.0000000.0000
00000080: 3030 3234 3030 3000 3135 3037 3334 3133 0024000.15073413
00000090: 3435 3000 3031 3132 3432 0020 3000 0000 450.011242. 0...
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000100: 0075 7374 6172 2020 0072 6f6f 7400 0000 .ustar .root...
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0072 6f6f 7400 0000 .........root...- Notice that for the first time we are seeing some human readable characters in the beginning of the file instead of some specific bytes. This is a signature of the
GNU tararchive, which is further confirmed by the presence of theustarkeyword in the dump. You can read more about it here - Therefore, we can extract it accordingly with the following one-liner:
mv binary binary.tar; tar -xf binary.tar- This now gives us a file named
data5.bin, which confirms our assumption. - Analyse the
data5.binusing thexxdcommand again, which gives the following output:
00000000: 6461 7461 362e 6269 6e00 0000 0000 0000 data6.bin.......
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060: 0000 0000 3030 3030 3634 3400 3030 3030 ....0000644.0000
00000070: 3030 3000 3030 3030 3030 3000 3030 3030 000.0000000.0000
00000080: 3030 3030 3333 3300 3135 3037 3334 3133 0000333.15073413
00000090: 3435 3000 3031 3132 3436 0020 3000 0000 450.011246. 0...
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000100: 0075 7374 6172 2020 0072 6f6f 7400 0000 .ustar .root...
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0072 6f6f 7400 0000 .........root...- Looks familiar, isn’t it? Seems like we need to extract this
tararchive again, so we use a similar one-liner again:
mv data5.bin data5.tar ; tar -xf data5.tar- This gives us the file
data6.bin, which we had expected - Analyse the dump of
data6.binwhich will give the following output:
00000000: 425a 6839 3141 5926 5359 8849 ff13 0000 BZh91AY&SY.I....
00000010: 8d7f cfdc 6a00 c0c0 7dff e120 5b23 8074 ....j...}.. [#.t
00000020: 61fe 8000 0840 0000 6682 0108 014c 0820 [email protected].
00000030: 0094 0d49 3d08 3232 0003 4c80 0f53 4c9a ...I=.22..L..SL.
00000040: 641a 3ca7 a350 6914 7ea9 9032 6800 c993 d.<..Pi.~..2h...
00000050: 09a1 a01a 068c 8d03 72dd 793f c810 180c ........r.y?....
00000060: 0204 0d07 8d50 9691 54c5 b411 101e f798 .....P..T.......
00000070: 3448 bc2a 4385 276a 62d5 3729 b77a 34fb 4H.*C.'jb.7).z4.
00000080: 0fcc dc1d 74c3 0004 ed70 02aa 2635 c0fd ....t....p..&5..
00000090: 5a81 34c0 5623 c2b4 655e dd79 0ada bc86 Z.4.V#..e^.y....
000000a0: 2b3e d24b 2d8e ee4a f6d5 9e6c 4249 c5d1 +>.K-..J...lBI..
000000b0: 4c2a fa0e 0c10 0f36 3b3e e864 2e28 4a02 L*.....6;>.d.(J.
000000c0: 224e a3c8 6439 8964 aa85 28b0 3240 403f "N..d9.d..(.2@@?
000000d0: 8bb9 229c 2848 4424 ff89 80 ..".(HD$...- Hmm, magic header
42 5A 68, seems familiar, isn’t it? Well, you guessed it right! It is thebzip2compression again! - Let’s decompress it using the following one-liner:
mv data6.bin data6.bz2 ; bzip2 -d data6.bz2- This gives us the file
data6, which we can analyse. - Upon analysis with
xxd, we get the following output:
00000000: 6461 7461 382e 6269 6e00 0000 0000 0000 data8.bin.......
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060: 0000 0000 3030 3030 3634 3400 3030 3030 ....0000644.0000
00000070: 3030 3000 3030 3030 3030 3000 3030 3030 000.0000000.0000
00000080: 3030 3030 3131 3700 3135 3037 3334 3133 0000117.15073413
00000090: 3435 3000 3031 3132 3530 0020 3000 0000 450.011250. 0...
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000100: 0075 7374 6172 2020 0072 6f6f 7400 0000 .ustar .root...
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0072 6f6f 7400 0000 .........root...
00000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................- Woop Woop! another
tararchive, so let’s quickly decompress it using the following one-liner:
mv data6 data6.tar; tar -xf data6.tar- We now get
data8, which was kinda expected. - Upon analysing
data8withxxd, we get the following output:
00000000: 1f8b 0808 2817 ee68 0203 6461 7461 392e ....(..h..data9.
00000010: 6269 6e00 0bc9 4855 2848 2c2e 2ecf 2f4a bin...HU(H,.../J
00000020: 51c8 2c56 70f3 374d 2977 2b4e 3648 4e4a Q.,Vp.7M)w+N6HNJ
00000030: f4cc f430 c8b0 f032 4a0d cd2e 362a 4b09 ...0...2J...6*K.
00000040: 7129 77cc e302 003e de32 4131 0000 00 q)w....>.2A1...- Hmm,
1F 8Bagain, pretty sure anothergzipcompression, so let’s decompress it:
mv data8.bin data8.gz; gzip -d data8.gz- So we get
data8, and upon analysis withxxd, it gives the following output:
00000000: 5468 6520 7061 7373 776f 7264 2069 7320 The password is
...- Woah! first human readable file, no magic header, only text :)
- Hence, this is the file that contains our password.
- Password obtained at the time of writing this write-up:
FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
Note
Passwords on each of the levels are known to change regularly after a specific interval of time. So instead of skimming through the write-up, it is recommended to solve the challenge by hand.