{"id":563,"date":"2015-01-25T20:34:38","date_gmt":"2015-01-25T20:34:38","guid":{"rendered":"https:\/\/www.hackmethod.com\/?p=563"},"modified":"2022-06-03T05:40:09","modified_gmt":"2022-06-03T05:40:09","slug":"overthewire-bandit-13","status":"publish","type":"post","link":"https:\/\/hackmethod.com\/overthewire-bandit-13\/","title":{"rendered":"OvertheWire &#8211; Bandit 13"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; admin_label=&#8221;section&#8221; _builder_version=&#8221;3.22&#8243;][et_pb_row admin_label=&#8221;row&#8221; _builder_version=&#8221;3.25&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_text admin_label=&#8221;Text&#8221; _builder_version=&#8221;4.7.5&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; hover_enabled=&#8221;0&#8243; sticky_enabled=&#8221;0&#8243;]<strong>Recap of Level 12:<\/strong> More obfuscation practice and decoding.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"http:\/\/overthewire.org\/wargames\/bandit\/bandit13.html\" target=\"_blank\" rel=\"noopener\"><strong>Bandit Level 13<\/strong><\/a><\/p>\n<h4><strong>Objective:<\/strong><\/h4>\n<p>Find the password to the next level<\/p>\n<h4><strong>Intel Given:<\/strong><\/h4>\n<ul>\n<li>The password for the next level is stored in the file data.txt,<\/li>\n<li>data.txt\u00a0is a hexdump of a file that has been repeatedly compressed<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h4><strong>How to:<\/strong><\/h4>\n<p>This write-up is curtosey of\u00a0<a href=\"http:\/\/www.reddit.com\/user\/xamien\" target=\"_blank\" rel=\"noopener\">xamien<\/a>\u00a0from reddit who allowed me to post this excellent write-up! Thanks xamien. I quickly added a brief intro to the lesson.<\/p>\n<p>Our file is a compressed hexdump which means that simply reading the file is will not give us the result that we are looking for. We need to convert the file into something that we can see and manipulate. We use the command xxd, which actually creates hexdumps, but when used with the -r switch it reverses the hexdump and creates a binary file. From there we will be using a variety of compression commands piped into each other to reveal an uncompressed file each step of the way. You could do the long method and just uncompress each file, creating a new one each step of the way. I like xamiens method, its much faster.<\/p>\n<pre><code>$ xxd -r data.txt foobar.bin\n<\/code><\/pre>\n<p>From here, use the <code>file<\/code> program to find out more about it:<\/p>\n<pre><code>$ file foobar.bin<\/code>\n<code>foobar.bin: gzip compressed data, was \"data2.bin\", last modified:\nFri Nov 14 04:32:20 2014, max compression, from Unix\n<\/code><\/pre>\n<p>So the first compression method was <code>gzip<\/code>. The challenge stated that the file was compressed multiple times, so there&#8217;s going to be a chain of decompression commands to get to the original text. There&#8217;s a trick we can use here: piping standard output from one command into another repeatedly.<\/p>\n<p>The compression programs <code>gzip<\/code> and <code>bzip2<\/code> have companion programs called <code>zcat<\/code> and <code>bzcat<\/code> that will read compressed data from standard input and write decompressed data to standard output, making them ideal for piping.<\/p>\n<p>The <code>file<\/code> command used earlier can also read from standard input by using <code>-<\/code> as the filename. This is a very common convention for Unix programs. By building a pipeline leading to <code>file -<\/code> we can see what the next step will be:<\/p>\n<pre><code>$ zcat foobar.bin | file -\n\/dev\/stdin: bzip2 compressed data, block size = 900k\n<\/code><\/pre>\n<p>So the next decompression step will be <code>bzcat<\/code>:<\/p>\n<pre><code>$ zcat foobar.bin | bzcat | file -\n\/dev\/stdin: gzip compressed data, was \"data4.bin\", last modified: \nFri Nov 14 04:32:20 2014, max compression, from Unix\n<\/code><\/pre>\n<p>Remember, the <code>cat<\/code> family of commands reads from standard input by default and writes to standard output by default, so by using a pipe (<code>|<\/code>) we are funneling <code>zcat<\/code>&#8216;s output into <code>bzcat<\/code>, then <code>bzcat<\/code>&#8216;s output through another pipe into <code>file -<\/code>. Repeating this, we get up to here:<\/p>\n<pre><code>$ zcat foobar.bin | bzcat | zcat | file -\n\/dev\/stdin: POSIX tar archive (GNU)\n<\/code><\/pre>\n<p><code>tar<\/code> is an archiving program, meaning it collects two or more files into one file using a format that allows the files to be extracted later. It doesn&#8217;t do any compression itself but <code>.tar<\/code> files are commonly compressed with <code>gzip<\/code>, <code>bzip2<\/code>, or other compression methods into a file easily distributed, often called a &#8220;tarball&#8221;.<\/p>\n<p>Luckily, <code>tar<\/code> can write to standard output with the <code>-x -O<\/code> arguments, so we can continue building our pipeline:<\/p>\n<pre><code>$ zcat foobar.bin | bzcat | zcat | tar xO | file -\n\/dev\/stdin: POSIX tar archive (GNU)\n<\/code><\/pre>\n<p><code>tar<\/code> again, so add it to the pipeline:<\/p>\n<pre><code>$ zcat foobar.bin | bzcat | zcat | tar xO | tar xO | file -\n\/dev\/stdin: bzip2 compressed data, block size = 900k\n<\/code><\/pre>\n<p>The complete command ends up looking like this:<\/p>\n<pre><code>$ zcat foobar.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat | file -\n\/dev\/stdin: ASCII text\n<\/code><\/pre>\n<p>Now you can run the command without the <code>| file -<\/code> and see the password.<\/p>\n<h4><strong>Conclusion:<\/strong><\/h4>\n<p>So we learned about compression and obfuscation of files by compression. There are definitely a few ways to do this, one is the long drawn out method uncompressing and creating a new file each step of the way. The other is piping each compressions output into the next decompression command making one long command to reveal the answer.[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; column_structure=&#8221;1_2,1_2&#8243;][et_pb_column _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; type=&#8221;1_2&#8243;][et_pb_image src=&#8221;https:\/\/hackmethod.com\/wp-content\/uploads\/2020\/12\/Previous.png&#8221; _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; alt=&#8221;Previous Level&#8221; title_text=&#8221;Previous&#8221; url=&#8221;https:\/\/hackmethod.com\/overthewire-bandit-12&#8243; hover_enabled=&#8221;0&#8243; sticky_enabled=&#8221;0&#8243;][\/et_pb_image][\/et_pb_column][et_pb_column _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; type=&#8221;1_2&#8243;][et_pb_image src=&#8221;https:\/\/hackmethod.com\/wp-content\/uploads\/2020\/12\/Next.png&#8221; _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; alt=&#8221;Next Level&#8221; title_text=&#8221;Next&#8221; url=&#8221;https:\/\/hackmethod.com\/overthewire-bandit-14&#8243; align=&#8221;right&#8221; hover_enabled=&#8221;0&#8243; sticky_enabled=&#8221;0&#8243;][\/et_pb_image][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recap of Level 12: More obfuscation practice and decoding. &nbsp; Bandit Level 13 Objective: Find the password to the next level Intel Given: The password for the next level is stored in the file data.txt, data.txt\u00a0is a hexdump of a file that has been repeatedly compressed How to: This write-up is curtosey of\u00a0xamien\u00a0from reddit who [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"<strong>Recap of <a href=\"https:\/\/www.hackmethod.com\/overthewire-bandit-12\/\">Last\u00a0Lesson<\/a>:<\/strong> More obfuscation practice and decoding.\r\n\r\n<a href=\"http:\/\/overthewire.org\/wargames\/bandit\/bandit13.html\" target=\"_blank\"><strong>Bandit Level 13<\/strong><\/a>\r\n\r\n<strong>Objective<\/strong>\r\n\r\nFind the password to the next level\r\n\r\n<strong>Intel Given<\/strong>\r\n<ul>\r\n\t<li>The password for the next level is stored in the file data.txt,<\/li>\r\n\t<li>data.txt\u00a0is a hexdump of a file that has been repeatedly compressed<\/li>\r\n<\/ul>\r\n<!--more-->\r\n\r\n<strong>How to<\/strong>\r\n\r\nThis write-up is curtosey of\u00a0<a href=\"http:\/\/www.reddit.com\/user\/xamien\" target=\"_blank\">xamien<\/a>\u00a0from reddit who allowed me to post this excellent write-up! Thanks xamien. I quickly added a brief intro to the lesson.\r\n\r\nOur file is a compressed hexdump which means that simply reading the file is will not give us the result that we are looking for. We need to convert the file into something that we can see and manipulate. We use the command xxd, which actually creates hexdumps, but when used with the -r switch it reverses the hexdump and creates a binary file. From there we will be using a variety of compression commands piped into each other to reveal an uncompressed file each step of the way. You could do the long method and just uncompress each file, creating a new one each step of the way. I like xamiens method, its much faster.\r\n<pre><code>$ xxd -r data.txt foobar.bin\r\n<\/code><\/pre>\r\nFrom here, use the <code>file<\/code> program to find out more about it:\r\n<pre><code>$ file foobar.bin\r\nfoobar.bin: gzip compressed data, was \"data2.bin\", last modified:\r\nFri Nov 14 04:32:20 2014, max compression, from Unix\r\n<\/code><\/pre>\r\nSo the first compression method was <code>gzip<\/code>. The challenge stated that the file was compressed multiple times, so there's going to be a chain of decompression commands to get to the original text. There's a trick we can use here: piping standard output from one command into another repeatedly.\r\n\r\nThe compression programs <code>gzip<\/code> and <code>bzip2<\/code> have companion programs called <code>zcat<\/code> and <code>bzcat<\/code> that will read compressed data from standard input and write decompressed data to standard output, making them ideal for piping.\r\n\r\nThe <code>file<\/code> command used earlier can also read from standard input by using <code>-<\/code> as the filename. This is a very common convention for Unix programs. By building a pipeline leading to <code>file -<\/code> we can see what the next step will be:\r\n<pre><code>$ zcat foobar.bin | file -\r\n\/dev\/stdin: bzip2 compressed data, block size = 900k\r\n<\/code><\/pre>\r\nSo the next decompression step will be <code>bzcat<\/code>:\r\n<pre><code>$ zcat foobar.bin | bzcat | file -\r\n\/dev\/stdin: gzip compressed data, was \"data4.bin\", last modified: \r\nFri Nov 14 04:32:20 2014, max compression, from Unix\r\n<\/code><\/pre>\r\nRemember, the <code>cat<\/code> family of commands reads from standard input by default and writes to standard output by default, so by using a pipe (<code>|<\/code>) we are funneling <code>zcat<\/code>'s output into <code>bzcat<\/code>, then <code>bzcat<\/code>'s output through another pipe into <code>file -<\/code>. Repeating this, we get up to here:\r\n<pre><code>$ zcat foobar.bin | bzcat | zcat | file -\r\n\/dev\/stdin: POSIX tar archive (GNU)\r\n<\/code><\/pre>\r\n<code>tar<\/code> is an archiving program, meaning it collects two or more files into one file using a format that allows the files to be extracted later. It doesn't do any compression itself but <code>.tar<\/code> files are commonly compressed with <code>gzip<\/code>, <code>bzip2<\/code>, or other compression methods into a file easily distributed, often called a \"tarball\".\r\n\r\nLuckily, <code>tar<\/code> can write to standard output with the <code>-x -O<\/code> arguments, so we can continue building our pipeline:\r\n<pre><code>$ zcat foobar.bin | bzcat | zcat | tar xO | file -\r\n\/dev\/stdin: POSIX tar archive (GNU)\r\n<\/code><\/pre>\r\n<code>tar<\/code> again, so add it to the pipeline:\r\n<pre><code>$ zcat foobar.bin | bzcat | zcat | tar xO | tar xO | file -\r\n\/dev\/stdin: bzip2 compressed data, block size = 900k\r\n<\/code><\/pre>\r\nThe complete command ends up looking like this:\r\n<pre><code>$ zcat foobar.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat | file -\r\n\/dev\/stdin: ASCII text\r\n<\/code><\/pre>\r\nNow you can run the command without the <code>| file -<\/code> and see the password.\r\n\r\n<strong>Conclusion<\/strong>\r\n\r\nSo we learned about compression and obfuscation of files by compression. There are definitely a few ways to do this, one is the long drawn out method uncompressing and creating a new file each step of the way. The other is piping each compressions output into the next decompression command making one long command to reveal the answer.","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[44],"tags":[43,45,46],"class_list":["post-563","post","type-post","status-publish","format-standard","hentry","category-overthewire","tag-bandit","tag-overthewire","tag-tutorials"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-95","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/563","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=563"}],"version-history":[{"count":7,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/563\/revisions"}],"predecessor-version":[{"id":27525,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/563\/revisions\/27525"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}