OverTheWire Bandit: Level 12 to Level 13
The Goal
data.txt is a hexdump of a file that has been repeatedly compressed. Reverse the hexdump, then decompress layer by layer until you reach plain text.
What a Hexdump Is
A hexdump represents binary data as hexadecimal values with the ASCII equivalent shown on the side. It’s used to inspect binary files in a readable format. xxd creates hexdumps and can reverse them with the -r flag.
Why Work in /tmp
Home directories on the Bandit server are read-only — you can’t create files there. This level requires creating multiple files as you work through compression layers. /tmp is where any user can write files. mktemp -d creates a randomly named directory there so other players can’t interfere with your work.
The Full Decompression Chain
Setting up the workspace:
1
2
3
mktemp -d
cd /tmp/tmp.hQ5fF7VduM
cp ~/data.txt .
Step 1 — Reverse the hexdump:
1
2
3
4
xxd -r data.txt > d1.gz
file d1.gz
# gzip compressed data
gzip -d d1.gz
Step 2 — bzip2:
1
2
3
4
file d1
# bzip2 compressed data
bzip2 -d d1
# outputs d1.out
Step 3 — gzip again:
1
2
3
4
file d1.out
# gzip compressed data
mv d1.out d1.gz
gzip -d d1.gz
Step 4 — tar:
1
2
3
4
5
file d1
# POSIX tar archive
mv d1 d1.tar
tar -xf d1.tar
# extracts data5.bin
Step 5 — tar again:
1
2
3
4
5
file data5.bin
# POSIX tar archive
mv data5.bin d1.tar
tar -xf d1.tar
# extracts data6.bin
Step 6 — bzip2 inside tar:
1
2
3
4
5
file data6.bin
# bzip2 compressed data
mv data6.bin d1.tar
tar -xf d1.tar
# extracts data8.bin
Step 7 — final gzip:
1
2
3
4
file data8.bin
# gzip compressed data
mv data8.bin d1.gz
gzip -d d1.gz
Result:
1
2
3
4
file d1
# ASCII text
cat d1
# The password is qQYQiHOBPR8zR61qxYqX45quvihF2uzk
Mistakes I Made Along the Way
Not naming the initial file with the right extension. My first attempt created datatmp.txt and datatmp — gzip refused to decompress both because it requires a .gz extension. The fix was to name the output file d1.gz from the start:
1
xxd -r data.txt > d1.gz
Skipping file before renaming. Halfway through I renamed data8.bin to d1.tar without checking what it actually was. It was gzip, not tar. The tar extraction produced nothing because the file wasn’t actually a tar archive. Running file before every rename would have caught this immediately.
Overwriting data.txt. One of the tar archives contained a file called data.txt. Extracting it overwrote my original input file, breaking the whole chain. Using a name like original.txt for the starting file prevents this.
The Core Lesson
Always run file before decompressing. The file extension tells you nothing — a gzip file can be named anything. file reads the actual magic bytes at the start of the file to determine what it really is. The workflow is:
1
file → identify type → rename with correct extension → decompress → repeat
Skipping any step causes problems.
Compression Tools Summary
| Type | Identified by file as | Extension needed | Command |
|---|---|---|---|
| gzip | gzip compressed data | .gz | gzip -d file.gz |
| bzip2 | bzip2 compressed data | .bz2 or none | bzip2 -d file |
| tar | POSIX tar archive | .tar | tar -xf file.tar |
Commands Used
| Command | What it did |
|---|---|
mktemp -d | Created a random working directory in /tmp |
xxd -r data.txt > d1.gz | Reversed the hexdump back to binary |
file <filename> | Identified the compression type at each step |
gzip -d <file>.gz | Decompressed gzip layers |
bzip2 -d <file> | Decompressed bzip2 layers |
tar -xf <file>.tar | Extracted tar archives |
mv | Renamed files to add correct extensions before decompressing |