Level goal: The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

 

This level is one of the most tedious stage in this CTF challenge. First, let’s move the file to a new directory in the /tmp folder under your name (create one using the mkdir command!).

Now we have to perform a reverse hashdump using xxd command,

bandit12@melinda:/tmp/kongwenbin12$ xxd -r data.txt > kwbfile

After performing the reverse hashdump command and writing the output to a file (in my case, I have named it “kwbfile”), run the file command to check what kind of file is it.

bandit12@melinda:/tmp/kongwenbin12$ file kwbfile
kwbfile: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression

From here onwards, the flow goes like this,

1. Identify what type of file is this, using the file command
2. Rename it to that particular file format, using the mv command to change its file type
3. Decompress/unzip the files using the correct type of tool
4. Repeat the above process until you have the file

The following is a dump of the commands I have, it will be quite lengthy. However, it basically follows the flow which I described above. I have added a “line break” after each change in file type, to make it easier to follow. I hope it helps!

Scroll to the bottom for the password to gain access to the next level. 

bandit12@melinda:/tmp/kongwenbin12$ file kwbfile
kwbfile: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/kongwenbin12$ mv kwbfile kwbfile.gz
bandit12@melinda:/tmp/kongwenbin12$ gzip -d kwbfile.gz

bandit12@melinda:/tmp/kongwenbin12$ file kwbfile
kwbfile: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/kongwenbin12$ mv kwbfile kwbfile.bz2
bandit12@melinda:/tmp/kongwenbin12$ bzip2 -d kwbfile.bz2

bandit12@melinda:/tmp/kongwenbin12$ file kwbfile
kwbfile: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/kongwenbin12$ mv kwbfile kwbfile.gz
bandit12@melinda:/tmp/kongwenbin12$ gzip -d kwbfile.gz

bandit12@melinda:/tmp/kongwenbin12$ file kwbfile
kwbfile: POSIX tar archive (GNU)
bandit12@melinda:/tmp/kongwenbin12$ mv kwbfile kwbfile.tar
bandit12@melinda:/tmp/kongwenbin12$ tar xvf kwbfile.tar
data5.bin

bandit12@melinda:/tmp/kongwenbin12$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/kongwenbin12$ mv data5.bin data5.tar
bandit12@melinda:/tmp/kongwenbin12$ tar xvf data5.tar
data6.bin

bandit12@melinda:/tmp/kongwenbin12$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/kongwenbin12$ mv data6.bin data6.bz2
bandit12@melinda:/tmp/kongwenbin12$ bzip2 -d data6.bz2

bandit12@melinda:/tmp/kongwenbin12$ file data6
data6: POSIX tar archive (GNU)
bandit12@melinda:/tmp/kongwenbin12$ mv data6 data6.tar
bandit12@melinda:/tmp/kongwenbin12$ tar xvf data6.tar
data8.bin

bandit12@melinda:/tmp/kongwenbin12$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/kongwenbin12$ mv data8.bin data8.gz
bandit12@melinda:/tmp/kongwenbin12$ gzip -d data8.gz

bandit12@melinda:/tmp/kongwenbin12$ file data8
data8: ASCII text
bandit12@melinda:/tmp/kongwenbin12$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

The password to gain access to the next level is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL.

Level goal: The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

As provided in the hint, we are required to perform a ROT13 “decode” on the file given. If you have been following this blog, you would have seen this InfoSec CTF which also requires to perform ROT13 decode to find the flag.

First, let’s look at the clue,

bandit11@melinda:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh

Now, we can decode this using the ROT13 tool.

The password to gain access to the next level is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu.

Level goal: The password for the next level is stored in the file data.txt, which contains base64 encoded data

This level basically introduce us to base64 encoding, one of the most commonly used method to encode data in the wild, however, it is easily recognized and decoded due to all the tools available online. I have covered a few write up other CTF games that uses base64 encoding as well, such as the InfoSec CTF.

Since the server itself is running on a Linux distribution and all Unix operating systems has inbuilt support for the base64 command, we are easily perform a base64 decode directly.

bandit10@melinda:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

The password to gain access to the next level is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR.

Level goal: The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

This level is similar to previous levels, which basically require us to search for the password in a text file. However, the difficulty is that you cannot perform the cat+grep command on it because it is a “binary” file instead of a text file.

This is when you can try out the strings command. Let’s look at the description of the strings command:

The string functions perform string operations on null-terminated strings. See the individual man pages for descriptions of each function.

In short, it goes through the entire file and any string values that it is able to find, it will display it to the output. As per the clue given to us to clear this level, let’s run a strings command on the data.txt file and grep only records with the “=” characters.

bandit9@melinda:~$ strings data.txt | grep "="
epr~F=K
7?YD=
?M=HqAH
/(Ne=
C=_"
I========== the6
z5Y=
`h(8=`
n\H=;
========== password
========== ism
N$=&
l/a=L)
f=C(
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
ie)=5e
bandit9@melinda:~$

The password to gain access to the next level is truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk.

Level goal: The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

This level can be quite tricky if you don’t know about commands like sort and uniq and how it really works.

There are several commands which seems to be able to produce the output, but failed to do so. Personally, I learnt from these trial and error.

First, let us look at the sort -u command and how it works.

bandit8@melinda:~$ sort -u data.txt 0dJUVh7xSLq6OkSLaxUydzRBVVJlc78x 1JF4GVFmFLq7XT2mYPpCzEl2aT33zxfh { … removed …} yqtqjt2cJPMU6AEataMQSNmPtZuV7nX9 yuFfSTNzXeACMYRXVcxIbXVUvMk1cMKl

As you can see above, the sort -u commands has removed all the duplicated copies of strings when it is displaying the output, the records are indeed unique (you can verify it), however, it does not show me which record is only output only once.

Next, we will look at the uniq -c command. What uniq does is basically performing a comparison between each line of text with its previous line to check if they are unique, thus it is recommended that we combine it with a simple sort command to group up the strings which are duplicated.

bandit8@melinda:~$ sort data.txt | uniq -c
10 0dJUVh7xSLq6OkSLaxUydzRBVVJlc78x
10 1JF4GVFmFLq7XT2mYPpCzEl2aT33zxfh
{ ... removed ... }
10 Thw7rjDiq6JPBdYSP5PdpvebvYa4Woio
1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
10 VM88tiT9pkZtuPDK2GGC7IhnqfzHQwkK
{ ... removed ... }
10 yuFfSTNzXeACMYRXVcxIbXVUvMk1cMKl

The -c parameter will count the number of occurrences of that particular string and append a prefix of its count. As you can see from the above output, there is only 1 record of UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR whereas all other strings were repeated for 10 counts within data.txt file.

There is an even faster way to get the password, by using the –u parameter. It works similarly to -c, but instead of counting the number of occurrences and appending it as a prefix before each string, it actually discount away all those records which have more than 1 count and only display the records which are totally unique (only 1 count).

bandit8@melinda:~$ cat data.txt | sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

The password to gain access to the next level is UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR.