What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2014-01-23

OverTheWire - Bandit - Level 12 to Level 13

Description:

Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv
Helpful Reading Material
Hex dump on Wikipedia
Solution:
  1. [Comment] Using SSH to connect the server
  2. sp@simple-plan:~|=> ssh bandit12@bandit.labs.overthewire.org
    ...
    bandit12@bandit.labs.overthewire.org's password: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
  3. [Comment] Using ls command to list directory contents
  4. bandit12@melinda:~$ ls
    data.txt
  5. [Comment] Using cat command to output file's contents
  6. bandit12@melinda:~$ cat data.txt
    0000000: 1f8b 0808 d095 b051 0203 6461 7461 322e .......Q..data2.
    0000010: 6269 6e00 013a 02c5 fd42 5a68 3931 4159 bin..:...BZh91AY
    0000020: 2653 5915 d9db 2800 0017 7fff ff5d f6ea &SY...(......]..
    0000030: e98b bff6 ff7f ffbf fce3 f7fa a3fb badb ................
    0000040: f3e9 f873 b7ff fcff cffb 7bff b001 3b35 ...s......{...;5
    0000050: b080 d000 0000 0000 1ea0 f534 3400 0d00 ...........44...
    0000060: d1a1 a1a1 a006 8680 0006 9ea0 6868 68f4 ............hhh.
    0000070: 81b5 0d34 d0c2 0d0d 3d13 47a4 cd44 01a1 ...4....=.G..D..
    0000080: a007 a801 a000 d1a0 d00d 0034 0640 1ea3 ...........4.@..
    0000090: 4c99 0000 d034 d1b5 3201 a0d1 a06d 4003 L....4..2....m@.
    00000a0: d403 351a 00f4 2347 a801 9348 1a7a 8034 ..5...#G...H.z.4
    00000b0: d340 0000 0006 690d 0000 0340 0d3d 46d1 .@....i....@.=F.
    00000c0: 341a 7a86 8190 1a1a 1a34 347a 8d00 001a 4.z......44z....
    00000d0: 6468 d006 8001 0403 0081 e752 1ca1 324a dh.........R..2J
    00000e0: 2d8d 2082 b927 606a 8dc4 4407 d0eb 1428 -. ..'`j..D....(
    00000f0: 8782 7c75 29f4 19d4 3b6a 1f7e 147f 5636 ..|u)...;j.~..V6
    0000100: 0183 4dbf 9a5d 968c 7340 d299 dd22 3024 ..M..]..s@..."0$
    0000110: 8ecc 1ffe 92b3 101b ca86 20bd 47f2 7958 .......... .G.yX
    0000120: 7d40 d62a 1dc8 8697 d109 66ae 1549 39df }@.*......f..I9.
    0000130: 95e2 2dad 4990 b250 9a0b f842 0ade e4fb ..-.I..P...B....
    0000140: 2717 ba73 0a60 9048 c4db 851b db3c 0e4d '..s.`.H.....<.M
    0000150: 9d04 a542 3d98 a411 65b8 116f 0710 19e3 ...B=...e..o....
    0000160: 210a 11d4 b9bc 5227 c02e f8ac fab6 f541 !.....R'.......A
    0000170: f934 9619 a951 6654 8482 4fd2 9ce7 af09 .4...QfT..O.....
    0000180: 0ed5 e29c 3482 e515 3882 07b5 8a2b 02e7 ....4...8....+..
    0000190: 5357 2cd5 c071 3d10 546c d9e2 aa49 a75c SW,..q=.Tl...I.\
    00001a0: 2ada f467 469d 4464 c20e f8f0 17d3 271d *..gF.Dd......'.
    00001b0: e3c6 ac3a 9f96 d17f 897c 04bf c445 d6bc ...:.....|...E..
    00001c0: a706 16b0 34bf 2f1b 3419 9eea 5d5a f7c0 ....4./.4...]Z..
    00001d0: 1ce4 5477 832b 2258 6b29 55ec 2155 2e66 ..Tw.+"Xk)U.!U.f
    00001e0: 2ad1 81d1 edd0 22fe 0f6c 9172 b0d2 3b93 *....."..l.r..;.
    00001f0: 42b3 079e 8013 c6ef 1425 82fe a53b 1898 B........%...;..
    0000200: c9b5 2111 5c53 eb19 6142 a8b6 480a a8eb ..!.\S..aB..H...
    0000210: 439e b18f 9269 890e dcec da54 614c 4eba C....i.....TaLN.
    0000220: fe8c 5c10 6586 1321 680b 9896 fdee b1d5 ..\.e..!h.......
    0000230: 8e68 d49a 11d4 868d 7e82 3238 4e13 dd44 .h......~.28N..D
    0000240: 9ad4 0081 b138 f17f e2ee 48a7 0a12 02bb .....8....H.....
    0000250: 3b65 0018 d921 743a 0200 00 ;e...!t:...
  7. [Comment] Since this is a hexdump format file, we need to do a reverse hex dump.
  8. [Comment] Create a temporary directory to store the reversed file
  9. bandit12@melinda:~$ mkdir -p /tmp/simple-plan/
  10. [Comment] Copy the file to the temporary directory
  11. bandit12@melinda:~$ cp data.txt /tmp/simple-plan/
  12. bandit12@melinda:~$ cd /tmp/simple-plan/
  13. bandit12@melinda:/tmp/simple-plan$ ls
    data.txt
  14. [Comment] Using xxd command to turn the hexdump file back into binary
  15. bandit12@melinda:/tmp/simple-plan$ xxd -r data.txt > banditfile
  16. [Comment] Using file command to determine the file type
  17. bandit12@melinda:/tmp/simple-plan$ file banditfile 
    banditfile: gzip compressed data, was "data2.bin", from Unix, last modified: Thu Jun  6 13:59:44 2013, max compression
  18. [Comment] Append appropriate file extension
  19. bandit12@melinda:/tmp/simple-plan$ mv banditfile banditfile.gz
  20. [Comment] Decompress the gzip file
  21. bandit12@melinda:/tmp/simple-plan$ gzip -d banditfile.gz 
  22. bandit12@melinda:/tmp/simple-plan$ ls
    banditfile  data.txt
  23. [Comment] Using file command to determine the file type
  24. bandit12@melinda:/tmp/simple-plan$ file banditfile
    banditfile: bzip2 compressed data, block size = 900k
  25. [Comment] Append appropriate file extension
  26. bandit12@melinda:/tmp/simple-plan$ mv banditfile banditfile.bz2
  27. [Comment] Decompress the bzip2 file
  28. bandit12@melinda:/tmp/simple-plan$ bzip2 -d banditfile.bz2 
  29. bandit12@melinda:/tmp/simple-plan$ ls
    banditfile  data.txt
  30. [Comment] Using file command to determine the file type
  31. bandit12@melinda:/tmp/simple-plan$ file banditfile 
    banditfile: gzip compressed data, was "data4.bin", from Unix, last modified: Thu Jun  6 13:59:43 2013, max compression
  32. [Comment] Append appropriate file extension
  33. bandit12@melinda:/tmp/simple-plan$ mv banditfile banditfile.gz
  34. [Comment] Decompress the gzip file
    1. bandit12@melinda:/tmp/simple-plan$ gzip -d banditfile.gz 
  35. bandit12@melinda:/tmp/simple-plan$ ls
    banditfile  data.txt
  36. [Comment] Using file command to determine the file type
  37. bandit12@melinda:/tmp/simple-plan$ file banditfile 
    banditfile: POSIX tar archive (GNU)
  38. [Comment] Using tar command to extract files from an archive
  39. bandit12@melinda:/tmp/simple-plan$ tar -xvf banditfile 
    data5.bin
  40. [Comment] Using file command to determine the file type
  41. bandit12@melinda:/tmp/simple-plan$ file data5.bin 
    data5.bin: POSIX tar archive (GNU)
  42. [Comment] Using tar command to extract files from an archive
  43. bandit12@melinda:/tmp/simple-plan$ tar -xvf data5.bin  
    data6.bin
  44. [Comment] Using file command to determine the file type
  45. bandit12@melinda:/tmp/simple-plan$ file data6.bin 
    data6.bin: bzip2 compressed data, block size = 900k
  46. [Comment] Append appropriate file extension
  47. bandit12@melinda:/tmp/simple-plan$ mv data6.bin banditfile.bz2
  48. [Comment] Decompress the bzip2 file
  49. bandit12@melinda:/tmp/simple-plan$ bzip2 -d banditfile.bz2 
  50. bandit12@melinda:/tmp/simple-plan$ ls
    banditfile  data.txt
  51. [Comment] Using file command to determine the file type
  52. bandit12@melinda:/tmp/simple-plan$ file banditfile
    banditfile: POSIX tar archive (GNU)
  53. bandit12@melinda:/tmp/simple-plan$ tar -xvf banditfile 
  54. data8.bin
  55. [Comment] Using file command to determine the file type
  56. bandit12@melinda:/tmp/simple-plan$ file data8.bin 
    data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu Jun  6 13:59:43 2013, max compression
  57. [Comment] Append appropriate file extension and decompress the gzip file
  58. bandit12@melinda:/tmp/simple-plan$ mv data8.bin data8.gz ; gzip -d data8.gz 
  59. [Comment] Using file command to determine the file type
  60. bandit12@melinda:/tmp/simple-plan$ file data8 
    data8: ASCII text
  61. [Comment] Using cat command to output file's contents
  62. bandit12@melinda:/tmp/simple-plan$ cat data8 
    The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
  63. [Comment] Using exit command to disconnect connection to server
  64. bandit12@melinda:/tmp/simple-plan$ exit
    logout
    Connection to bandit.labs.overthewire.org closed.
  65. [Comment] It's done! Saving the password for next level.
Reference:
sshhttp://linuxcommand.org/man_pages/ssh1.html
lshttp://linuxcommand.org/man_pages/ls1.html
cathttp://linuxcommand.org/man_pages/cat1.html
exithttp://linuxcommand.org/man_pages/exit1.html
cdhttp://linuxcommand.org/lc3_man_pages/cdh.html
findhttp://linuxcommand.org/man_pages/find1.html
grephttp://linuxcommand.org/lc3_man_pages/grep1.html
sorthttp://linuxcommand.org/lc3_man_pages/sort1.html
uniqhttp://linuxcommand.org/man_pages/uniq1.html
stringshttp://linuxcommand.org/man_pages/strings1.html
base64http://linux.die.net/man/1/base64
trhttp://linuxcommand.org/man_pages/tr1.html
aliashttp://linuxcommand.org/man_pages/alias1.html
mkdirhttp://linuxcommand.org/man_pages/mkdir1.html
cphttp://linuxcommand.org/man_pages/cp1.html
xxdhttp://linuxcommand.org/man_pages/xxd1.html
filehttp://linuxcommand.org/man_pages/file1.html
mvhttp://linuxcommand.org/man_pages/mv1.html
gziphttp://linuxcommand.org/man_pages/gzip1.html
bzip2http://linuxcommand.org/man_pages/bzip21.html
tarhttp://linuxcommand.org/man_pages/tar1.html

5 comments:

  1. I think there might be an error on line 47. You mv data6.bin as banditfile.bz2 instead of changing the tag of the data6 file itself to give it the correct extension. This is what you actually do on line 58: data8.bin is renamed to data8.gz. In following these steps, I ran into an error after 47. When I tried to bizip2 -d banditfile.bz2, I got a notice saying that it couldn't do that because banditfile already existed. Which makes sense because at this point, by renaming data6.bin as banditfile.bz2, I created two files with the name banditfile. At least that's how I understand it.

    In order to get back on track, I added the -f (force) option (bizip2 -df banditfile.bz2) to make it overwrite the other banditfile. The process you describe on line 58, however, of changing the extension of the data8.bin file, worked without any problems, which makes me think that this is how line 47 should be done too.

    But maybe I'm missing something? Any further explanation would be great.

    ReplyDelete
  2. Thanks a heap. May your skin be clear and your 401k growing.

    ReplyDelete
  3. Thank u mate. saved ny day!

    ReplyDelete
  4. Had the same problem.

    TAR actually stands for Tape Archive (old magnetic tapes 😛)

    The -x tells to decompress,-v tells the file is verbose (details below),and -f tells that it is not a tape archive.

    More here: https://kb.iu.edu/d/acfi

    ReplyDelete