Bandit Level 13 Walkthrough

Level 12 ➔ Level 13: Reversing the Hex and Peeling the Onion

1. My Objective

I have a file named data.txt, which is a hexdump of a compressed file. My mission is complex: I must first convert this text back into a binary file, and then repeatedly decompress it. The file has been compressed multiple times using different formats (gzip, bzip2, tar). I need to "peel" every layer until I find the plain text password at the very center.

The Workspace Strategy: I cannot create files in the home directory. I must use the /tmp directory to create a private workspace where I have permission to write and extract files.

2. The Feynman Explanation: Nesting Dolls and Blueprints

This level teaches two fundamental concepts in data forensics: Hexadecimal representation and Nested Compression.

The Architect's Blueprint Analogy:

1. The Hexdump: Imagine I have a blueprint (the data.txt) that describes exactly how to build a house. The blueprint is just paper and ink (text), but it represents a physical structure. To get the "house" (the binary file), I use xxd -r to follow the blueprint and build the actual structure.

2. Nested Compression: Now, imagine this house contains a locked safe. Inside that safe is a locked box. Inside that box is a sealed envelope. This is Repeated Compression.

I don't know what kind of "lock" each layer has. I use the file command as a Scanner to see if the current layer is a Safe (Gzip), a Box (Bzip2), or an Envelope (Tar). I then use the matching key to open it, repeating the process until I find the letter inside.

3. Practical Solution

I log in as bandit12. First, I create my workspace. Then, I begin the long process of reversing the data.

# Step 1: Create a workspace and copy the data
bandit12@bandit:~$ mkdir /tmp/pritom_work
bandit12@bandit:~$ cp data.txt /tmp/pritom_work
bandit12@bandit:~$ cd /tmp/pritom_work

# Step 2: Revert the hexdump to binary
bandit12@bandit:/tmp/pritom_work$ xxd -r data.txt > data

# Step 3: Peeling the layers (Example of the cycle)
bandit12@bandit:/tmp/pritom_work$ file data # Returns: gzip compressed data
bandit12@bandit:/tmp/pritom_work$ mv data data.gz
bandit12@bandit:/tmp/pritom_work$ gunzip data.gz

# I repeat this 'file -> mv -> decompress' cycle for every layer:
# Bzip2: bzip2 -d data.bz2
# Tar: tar -xf data.tar

# Finally, after many layers, I find the ASCII text file:
bandit12@bandit:/tmp/pritom_work$ cat data8
The password is wbWNoNnSAn929SAb36906sV...

🚀 My Pro Tips: Data Decompression

✨ The 'file' Command is Essential

In this level, I never guess. I always run file filename before every step. This tells me exactly which tool I need to use next (gzip, bzip2, or tar). In Linux, extensions are just labels; the file command looks at the actual internal "magic bytes" of the data.

⭐ Renaming for Tools

Tools like gzip are very picky. If I try to decompress a file that doesn't end in .gz, it might refuse to work. That is why I use mv to give the file the correct extension before running the decompression command.

🔍 Workspace Cleanup

Since I am working in /tmp, I am sharing that space with other players. Using mkdir with a unique name or using mktemp -d ensures my work doesn't get mixed up with anyone else's.

4. Why this matters

I encounter this "onion" structure frequently in digital forensics. Malware often hides its true code by compressing and encrypting it multiple times. Being able to calmly identify the file type at each stage and move closer to the "raw" data is a core skill for any security analyst or forensic investigator.

Onion Peeled!

I've successfully navigated the maze of compression. I'll save this password and move on to Level 13 ➔ Level 14, where I will use SSH keys for the first time!

Tags: #Linux #Bandit #OverTheWire #Hexdump #XxdCommand #Compression #Gzip #Bzip2 #Tar #Forensics #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips