OverTheWire – Bandit Challenge – Level 12 -> Level 13

Level 12 → 13: The Russian Nesting Doll (Hexdumps and Compression)

The Challenge

The Objective:

You are currently logged in as bandit12. Your objective for this level is to find the password stored in a file named data.txt. However, this file is a hexdump of a file that has been compressed repeatedly using multiple different archiving algorithms.

The Constraints:

• You are logged in as bandit12.
• You do not have write permissions in your current home directory, meaning you cannot extract files here. You must create a secure workspace in the /tmp directory.
• You must reverse the hexdump back into a binary file.
• You must repeatedly analyze, rename, and decompress the file until the final plain text password is revealed.

The Solution

The Concept: Hexdumps, Workspaces, and Program Requirements

This level combines several core Linux administrative concepts into one massive puzzle.

1. The Temporary Workspace: Because standard users cannot write files just anywhere on a server, Linux reserves the /tmp directory for temporary data. Using the mktemp -d command generates a randomized, secure folder inside /tmp where you have full permissions to extract and manipulate data.
2. Reversing a Hexdump: A hexdump is a hexadecimal view of computer data. The xxd command is used to create these dumps, but by passing the -r (reverse) flag, it reads the hex text and reassembles the original raw binary file.
3. The Extension Paradox: In Level 2, you learned that Linux operating systems do not care about file extensions. However, specific programs do. The gzip and bzip2 compression tools will outright refuse to decompress a file unless it has a .gz or .bz2 extension. Therefore, you must use the file command to identify the compression type, use mv to rename the file with the correct extension, and then run the appropriate decompression tool.

Execution: Locating and Extracting

Follow these steps to build a workspace and begin the decompression loop.

Step 1: Create a temporary directory, copy the target file into it, and move into that directory. Type the following commands, pressing Enter after each:

Bash

mktemp -d

(The terminal will output a randomized path, such as /tmp/tmp.xyz123. Use your specific path for the next commands).

Bash

cp data.txt /tmp/tmp.xyz123
cd /tmp/tmp.xyz123

Step 2: Reverse the hexdump to create a readable binary file named data.bin.

Bash

xxd -r data.txt data.bin

Step 3: Begin the Interrogation Loop. You will repeat this sequence of commands (check file type, rename, decompress) multiple times.

Bash

# 1. Check the file type
file data.bin

# 2. If it says "gzip compressed data", rename it and decompress:
mv data.bin data.gz
gzip -d data.gz

# 3. Check the file type of the newly extracted file (now just named 'data')
file data

# 4. If it says "bzip2 compressed data", rename it and decompress:
mv data data.bz2
bzip2 -d data.bz2

(You must continue this loop. If file returns “POSIX tar archive”, use tar -xf data.tar. Repeat this process until the file command finally returns “ASCII text”, at which point you can use cat to read the password).

Copy the final text password to your clipboard. Type exit to close your connection, and get ready to SSH back in as bandit13.

DevOps in the Wild

The combination of tar (Tape Archive) and gzip is why you constantly see .tar.gz files in the Linux world. They do two different jobs. tar simply takes a hundred files and bundles them together into one solid block, but it does not shrink them. gzip shrinks data, but it can only shrink one file at a time. DevOps engineers use tar to bundle an entire web application folder into one file, and then use gzip to compress that bundle for fast network transfers.

Troubleshooting Pitfalls

If your terminal is throwing errors, here is what went wrong:

• Error: Permission deniedYou tried to run xxd -r or decompress the file while still standing in the bandit12 home directory. You must complete Step 1 to create and move into your /tmp directory first.
• Error: gzip: data.bin: unknown suffix -- ignoredYou tried to decompress a file without giving it the correct extension first. You must use mv to rename the file so it ends in .gz before gzip -d will accept it.
• Error: tar: Cannot extract...Remember the commands: Use gzip -d for gzip, bzip2 -d for bzip2, and tar -xf (extract file) for tar archives.