Post

OverTheWire Bandit: Level 12 to Level 13

OverTheWire Bandit: Level 12 to Level 13

The Goal

data.txt is a hexdump of a file that has been repeatedly compressed. Reverse the hexdump, then decompress layer by layer until you reach plain text.

What a Hexdump Is

A hexdump represents binary data as hexadecimal values with the ASCII equivalent shown on the side. It’s used to inspect binary files in a readable format. xxd creates hexdumps and can reverse them with the -r flag.

Why Work in /tmp

Home directories on the Bandit server are read-only — you can’t create files there. This level requires creating multiple files as you work through compression layers. /tmp is where any user can write files. mktemp -d creates a randomly named directory there so other players can’t interfere with your work.

The Full Decompression Chain

Setting up the workspace:

1
2
3
mktemp -d
cd /tmp/tmp.hQ5fF7VduM
cp ~/data.txt .

Step 1 — Reverse the hexdump:

1
2
3
4
xxd -r data.txt > d1.gz
file d1.gz
# gzip compressed data
gzip -d d1.gz

Step 2 — bzip2:

1
2
3
4
file d1
# bzip2 compressed data
bzip2 -d d1
# outputs d1.out

Step 3 — gzip again:

1
2
3
4
file d1.out
# gzip compressed data
mv d1.out d1.gz
gzip -d d1.gz

Step 4 — tar:

1
2
3
4
5
file d1
# POSIX tar archive
mv d1 d1.tar
tar -xf d1.tar
# extracts data5.bin

Step 5 — tar again:

1
2
3
4
5
file data5.bin
# POSIX tar archive
mv data5.bin d1.tar
tar -xf d1.tar
# extracts data6.bin

Step 6 — bzip2 inside tar:

1
2
3
4
5
file data6.bin
# bzip2 compressed data
mv data6.bin d1.tar
tar -xf d1.tar
# extracts data8.bin

Step 7 — final gzip:

1
2
3
4
file data8.bin
# gzip compressed data
mv data8.bin d1.gz
gzip -d d1.gz

Result:

1
2
3
4
file d1
# ASCII text
cat d1
# The password is qQYQiHOBPR8zR61qxYqX45quvihF2uzk

Mistakes I Made Along the Way

Not naming the initial file with the right extension. My first attempt created datatmp.txt and datatmp — gzip refused to decompress both because it requires a .gz extension. The fix was to name the output file d1.gz from the start:

1
xxd -r data.txt > d1.gz

Skipping file before renaming. Halfway through I renamed data8.bin to d1.tar without checking what it actually was. It was gzip, not tar. The tar extraction produced nothing because the file wasn’t actually a tar archive. Running file before every rename would have caught this immediately.

Overwriting data.txt. One of the tar archives contained a file called data.txt. Extracting it overwrote my original input file, breaking the whole chain. Using a name like original.txt for the starting file prevents this.

The Core Lesson

Always run file before decompressing. The file extension tells you nothing — a gzip file can be named anything. file reads the actual magic bytes at the start of the file to determine what it really is. The workflow is:

1
file → identify type → rename with correct extension → decompress → repeat

Skipping any step causes problems.

Compression Tools Summary

TypeIdentified by file asExtension neededCommand
gzipgzip compressed data.gzgzip -d file.gz
bzip2bzip2 compressed data.bz2 or nonebzip2 -d file
tarPOSIX tar archive.tartar -xf file.tar

Commands Used

CommandWhat it did
mktemp -dCreated a random working directory in /tmp
xxd -r data.txt > d1.gzReversed the hexdump back to binary
file <filename>Identified the compression type at each step
gzip -d <file>.gzDecompressed gzip layers
bzip2 -d <file>Decompressed bzip2 layers
tar -xf <file>.tarExtracted tar archives
mvRenamed files to add correct extensions before decompressing
This post is licensed under CC BY 4.0 by the author.