Previous Level: Level 12
ssh firstname.lastname@example.org -p 2220
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level, it may be useful to create a directory under /tmp in which you can work using mkdir.
A little bit of Theory
mkdir <path>can be used to create a new directory.
cp <source> <destination>copies files.
mv <source> <destination>moves or renames files.
Hexdumps are often used when we want to look at data that cannot be represented in strings and therefore is not readable, so it is easier to look at the hex values. A hexdump has three main columns. The first shows the address, the second the hex representation of the data on that address and the last shows the actual data as strings (with ‘.’ being hex values that cannot be represented as a string). Many hex editors exist just pick the one you like most.
For the command line
xxd can be used.
xxd <input_file> <output_file> creates hexdumps. When using the
-r flag, it reverts the hexdump.
Hexdumps can be used to figure out the type of a file. Each file type has a magic number/file signature. You can find lists with a collection of these different file signatures online. The
file command, which was introduced in Level 5 also uses this method (and more beyond that). This is especially important to know because sometimes files might not have the correct or any file ending to identify its type.
Compression is a method of encoding that aims to reduce the original size of a file without losing information (or only losing as little as possible).
gzipis a command to compress or decompress (
-d) files. A ‘gzip’ file generally ends with
bzip2is another command which allows for compressing and decompressing (
-d) files. A ‘bzip2’ file generally ends with
An Archive File is a file that contains one or multiple files and their metadata. This can allow easier portability.
taris a command that creates archive files (
-cf). It also allows extracting these files again (
-xf). A tar archive generally ends with
I have separated the task into three sub-tasks. Setting up a directory, reverting the hexdump and finally decompressing.
Create Directory and Move file
The first part of the task is to create a folder and copy the data to make further actions easier.
Reading through the rules given when we ssh into the server, we can also use
mktemp -d to create a folder with a random name, instead of using
mkdir and choosing a name. Then we copy the data.txt from the home directory (~) to the created directory in ’tmp’. Because I already moved into the directory I used ‘.’ as a relative path, meaning the file will be copied with the same name into the current working directory. Finally, I used
mv to rename the data.
Revert hexdump of the file
Looking at the file, we see the format of the data. As stated it is a hexdump. It looks like this:
However, we want to operate on the actual data. Therefore, we revert the hexdump and get the actual data.
The actual data looks like this when printed to the console:
Note: As mentioned in the theory part, the actual data is not readable the hexdump is way clearer to view.
We now need to decompress the data. To figure out what decompression we need to use, look at the first bytes in the hexdump to find the file signature. We can search for these first bytes in a list of file signatures. An alternative would be to use the
gzip compressed files the header is
\x1F\x8B\x08. Looking at the first line, we see that these are the first bytes of the file.
Now we can add the correct file ending, by renaming the file and decompress the file with
Note: For ‘gzip’ renaming the file with the correct ending is necessary for the other commands it doesn’t have to be done.
However, the data is still not fully decompressed, so we look at the first bytes again:
This time we have a different magic number. Quick googling tells us that
BZ (= ‘425a’) is the file signature for
bzip and the next two bytes
h (= ‘68’) indicate the version, in this case, it is version 2. So we can rename the file with the appropriate file ending (.bz2) and decompress it with
And the file is still compressed.
xxd shows that it is ‘gzip’ compressed again. So we repeat the previous steps, renaming and decompressing.
Now the output still doesn’t look right, but we can see some string.
cat compressed_data or
xxd compressed_data | head (‘head’ to only get the first 10 lines), we can see the ‘data5.bin’ string, which is a filename.
It seems like we now have an archive. So we use
tar to extract the file:
Now, ‘data5.bin’ seems to be another archive with a file called ‘data6.bin’. So we extract the file again.
The file ‘data6.bin’ seems to be
bzip2 compressed again.
‘data6.bin.out’ shows another file name ‘data8.bin’ again. So we extract this file.
Finally, we have to do one more decompression with
gzip and we get a readable file with the password.
Next Level: Level 14