Recap of Last Lesson: More obfuscation practice and decoding.

Bandit Level 13


Find the password to the next level

Intel Given

  • The password for the next level is stored in the file data.txt,
  • data.txt is a hexdump of a file that has been repeatedly compressed

How to

This write-up is curtosey of xamien from reddit who allowed me to post this excellent write-up! Thanks xamien. I quickly added a brief intro to the lesson.

Our file is a compressed hexdump which means that simply reading the file is will not give us the result that we are looking for. We need to convert the file into something that we can see and manipulate. We use the command xxd, which actually creates hexdumps, but when used with the -r switch it reverses the hexdump and creates a binary file. From there we will be using a variety of compression commands piped into each other to reveal an uncompressed file each step of the way. You could do the long method and just uncompress each file, creating a new one each step of the way. I like xamiens method, its much faster.

$ xxd -r data.txt foobar.bin

From here, use the file program to find out more about it:

$ file foobar.bin
foobar.bin: gzip compressed data, was "data2.bin", last modified:
Fri Nov 14 04:32:20 2014, max compression, from Unix

So the first compression method was gzip. The challenge stated that the file was compressed multiple times, so there’s going to be a chain of decompression commands to get to the original text. There’s a trick we can use here: piping standard output from one command into another repeatedly.

The compression programs gzip and bzip2 have companion programs called zcat and bzcat that will read compressed data from standard input and write decompressed data to standard output, making them ideal for piping.

The file command used earlier can also read from standard input by using - as the filename. This is a very common convention for Unix programs. By building a pipeline leading to file - we can see what the next step will be:

$ zcat foobar.bin | file -
/dev/stdin: bzip2 compressed data, block size = 900k

So the next decompression step will be bzcat:

$ zcat foobar.bin | bzcat | file -
/dev/stdin: gzip compressed data, was "data4.bin", last modified: 
Fri Nov 14 04:32:20 2014, max compression, from Unix

Remember, the cat family of commands reads from standard input by default and writes to standard output by default, so by using a pipe (|) we are funneling zcat‘s output into bzcat, then bzcat‘s output through another pipe into file -. Repeating this, we get up to here:

$ zcat foobar.bin | bzcat | zcat | file -
/dev/stdin: POSIX tar archive (GNU)

tar is an archiving program, meaning it collects two or more files into one file using a format that allows the files to be extracted later. It doesn’t do any compression itself but .tar files are commonly compressed with gzip, bzip2, or other compression methods into a file easily distributed, often called a “tarball”.

Luckily, tar can write to standard output with the -x -O arguments, so we can continue building our pipeline:

$ zcat foobar.bin | bzcat | zcat | tar xO | file -
/dev/stdin: POSIX tar archive (GNU)

tar again, so add it to the pipeline:

$ zcat foobar.bin | bzcat | zcat | tar xO | tar xO | file -
/dev/stdin: bzip2 compressed data, block size = 900k

The complete command ends up looking like this:

$ zcat foobar.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat | file -
/dev/stdin: ASCII text

Now you can run the command without the | file - and see the password.


So we learned about compression and obfuscation of files by compression. There are definitely a few ways to do this, one is the long drawn out method uncompressing and creating a new file each step of the way. The other is piping each compressions output into the next decompression command making one long command to reveal the answer.