Recap of Last Lesson: More obfuscation practice and decoding.
Find the password to the next level
- The password for the next level is stored in the file data.txt,
- data.txt is a hexdump of a file that has been repeatedly compressed
This write-up is curtosey of xamien from reddit who allowed me to post this excellent write-up! Thanks xamien. I quickly added a brief intro to the lesson.
Our file is a compressed hexdump which means that simply reading the file is will not give us the result that we are looking for. We need to convert the file into something that we can see and manipulate. We use the command xxd, which actually creates hexdumps, but when used with the -r switch it reverses the hexdump and creates a binary file. From there we will be using a variety of compression commands piped into each other to reveal an uncompressed file each step of the way. You could do the long method and just uncompress each file, creating a new one each step of the way. I like xamiens method, its much faster.
$ xxd -r data.txt foobar.bin
From here, use the
file program to find out more about it:
$ file foobar.bin foobar.bin: gzip compressed data, was "data2.bin", last modified: Fri Nov 14 04:32:20 2014, max compression, from Unix
So the first compression method was
gzip. The challenge stated that the file was compressed multiple times, so there’s going to be a chain of decompression commands to get to the original text. There’s a trick we can use here: piping standard output from one command into another repeatedly.
The compression programs
bzip2 have companion programs called
bzcat that will read compressed data from standard input and write decompressed data to standard output, making them ideal for piping.
file command used earlier can also read from standard input by using
- as the filename. This is a very common convention for Unix programs. By building a pipeline leading to
file - we can see what the next step will be:
$ zcat foobar.bin | file - /dev/stdin: bzip2 compressed data, block size = 900k
So the next decompression step will be
$ zcat foobar.bin | bzcat | file - /dev/stdin: gzip compressed data, was "data4.bin", last modified: Fri Nov 14 04:32:20 2014, max compression, from Unix
cat family of commands reads from standard input by default and writes to standard output by default, so by using a pipe (
|) we are funneling
zcat‘s output into
bzcat‘s output through another pipe into
file -. Repeating this, we get up to here:
$ zcat foobar.bin | bzcat | zcat | file - /dev/stdin: POSIX tar archive (GNU)
tar is an archiving program, meaning it collects two or more files into one file using a format that allows the files to be extracted later. It doesn’t do any compression itself but
.tar files are commonly compressed with
bzip2, or other compression methods into a file easily distributed, often called a “tarball”.
tar can write to standard output with the
-x -O arguments, so we can continue building our pipeline:
$ zcat foobar.bin | bzcat | zcat | tar xO | file - /dev/stdin: POSIX tar archive (GNU)
tar again, so add it to the pipeline:
$ zcat foobar.bin | bzcat | zcat | tar xO | tar xO | file - /dev/stdin: bzip2 compressed data, block size = 900k
The complete command ends up looking like this:
$ zcat foobar.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat | file - /dev/stdin: ASCII text
Now you can run the command without the
| file - and see the password.
So we learned about compression and obfuscation of files by compression. There are definitely a few ways to do this, one is the long drawn out method uncompressing and creating a new file each step of the way. The other is piping each compressions output into the next decompression command making one long command to reveal the answer.