Bandit 12

Bandit 12



bandit12@bandit:~$ ls
data.txt
bandit12@bandit:~$ mkdir data
bandit12@bandit:~$ cp data.txt ./data
bandit12@bandit:~$ cd data
bandit12@bandit:~/data$ ls
data.txt
bandit12@bandit:~/data$ file data.txt
data.txt: ASCII text
0000000: 1f8b 0808 4572 4259 0203 6461 7461 322e  ....ErBY..data2.
0000010: 6269 6e00 0143 02bc fd42 5a68 3931 4159  bin..C...BZh91AY
0000020: 2653 59a3 fd61 8800 0019 ffff dffb 1ff5  &SY..a..........
0000030: f7d7 dfdb fe4f ffb3 b5f7 ffdf b2d8 fefb  .....O..........
0000040: e7dd fffa fefd 7f7b d1fb fe3f b001 3b56  .......{...?..;V
0000050: a106 81a0 1a00 07a8 0068 01a1 a69a 0000  .........h......
0000060: d1a0 d034 6868 34f5 0641 a000 000d 000f  ...4hh4..A......
0000070: 5064 00d0 321a 69e9 0323 1a27 a883 4003  Pd..2.i..#.'..@.
0000080: 41a0 01ea 0000 0003 4000 0068 7a4f 4800  A.......@..hzOH.
0000090: 0c8c 803d 41a0 64d1 a3d4 d1a3 6a68 01a0  ...=A.d.....jh..
00000a0: 34da 8340 003d 4347 a83a 69a6 8699 0034  4..@.=CG.:i....4
00000b0: 3203 4610 343d 4000 6234 6432 069e a00c  2.F.4=@.b4d2....
00000c0: 8680 69a3 4d0d 1881 9000 1900 3400 0d00  ..i.M.......4...
00000d0: 001a 3206 8cc1 4249 8508 8813 0cf6 ce06  ..2...BI........
00000e0: 5837 3148 89c4 7af4 249d 2dcb 4bc5 8f39  X71H..z.$.-.K..9
00000f0: 9ed6 9f41 2011 470a fcac 1d3f 5fd0 fae5  ...A .G....?_...
0000100: ca35 1f6a f9a5 2253 3da7 fe12 0e54 3bfc  .5.j.."S=....T;.
0000110: f546 d795 5b5b b218 51bb 6a4a 2176 a525  .F..[[..Q.jJ!v.%
0000120: c163 5427 28cb ca0e 11e8 14a5 3151 984a  .cT'(.......1Q.J
0000130: b111 babe 9321 a582 352d 4b8d 95eb d73e  .....!..5-K....>
0000140: 44a4 0eae 9017 ac79 0cdc 2eef fb1a 58a6  D......y......X.
0000150: 0465 0172 5f40 d46b 038e 06e1 8f20 7786  .e.r_@.k..... w.
0000160: 199d 546a 2235 d14b 265c 3a3e c24c 43e1  ..Tj"5.K&\:>.LC.
0000170: 9d52 2a1b 128c a4f7 b58b 1301 3008 ed35  .R*.........0..5
0000180: 4d9f 058f 2108 a40c 208d 37c8 0202 e10a  M...!... .7.....
0000190: e601 f06c f954 993c 1b5f 6e2a 931f a423  ...l.T.<._n*...#
00001a0: 51db a07e 0870 2691 8e58 f448 bf13 3a43  Q..~.p&..X.H..:C
00001b0: 6940 b41e 7155 5125 a01e e10c c9c0 494d  i@..qUQ%......IM
00001c0: 22e8 e933 e961 5908 16a0 356e c5fa d9a0  "..3.aY...5n....
00001d0: 827f 8b51 ed30 9f2c 8e76 8e2e efa4 03a0  ...Q.0.,.v......
00001e0: bde0 d1ea 7771 153f cb1a b15e 4b85 6b9b  ....wq.?...^K.k.
00001f0: 0619 d3a5 867e 4013 d548 4931 b116 e814  .....~@..HI1....
0000200: 4c44 445c 21e5 2a81 4495 4589 8770 3af5  LDD\!.*.D.E..p:.
0000210: 8b2a 1c71 4f4d 59ac e072 9427 7d3e 5764  .*.qOMY..r.'}>Wd
0000220: 6a63 eb50 dd7d 1922 e854 6334 2e45 95e0  jc.P.}.".Tc4.E..
0000230: 2538 dbc8 0a7b f841 a882 58bf f0aa 487d  %8...{.A..X...H}
0000240: 4c51 0b6e e561 8960 c0b0 0167 45f4 1499  LQ.n.a.`...gE...
0000250: cff1 7724 5385 090a 3fd6 1880 d817 301f  ..w$S...?.....0.
0000260: 4302 0000                                C...
bandit12@bandit:~/data$ 
 

Read the instructions, mkdir creates a folder in our current working directory named data, we then use cp to copy and paste the  data.txt file in our newly created folder/directory. I then switch to that directory and verify data.txt is there, check it's filetype, check it's contents. From here I head to that wiki page they so generously provided us, I see the "xxd" command is used for hexdumps, and go read its man page.

I see this little switch
-r | -revert
reverse operation: convert (or patch) hexdump into binary. If not writing to stdout, xxd writes into its output file without truncating it. Use the combination -r -p to read plain hexadecimal dumps without line number information and without a particular column layout. Additional Whitespace and line-breaks are allowed anywhere.
 Lets use this

bandit12@bandit:~/data$ xxd -r data.txt
ErBY  data2.bin C ��BZh91AY&SY��a� ���� ������O�����߲���������{���?� ;V� �� �h ��Pd�2 i� # '��@ A� � @hzOH
                         ��=A�dѣ�ѣjh �4ڃ@=CG�:i���42 F 4=@b4d2 ��
 2 ��BI�                                                         ��i�M
         �� X71H��z�$�-�Kŏ9�֟A  G
�� ?_����5 j��"S=�� T;��Fו[[� Q�jJ!v�%�cT'(�� � �1Q�J� ���!��5-K����>D��� �y
                                                                            �.�� X� e r_@�k � �� w� �Tj"5�K&\:>�LC��R*  �����  �5M���
                                                      �7�  �
� �l�T�< _n*� �#Q۠p&��X�H� :Ci@� qUQ%� �
                                       ��IM"��3�a �5n��٠��Q�0�,�v�.�� �����wq ?� �^K�k�  ӥ�~@ �HI1� � LDD\!�*�D�E��p:��* qOMY��r�'}>Wdjc�P�} "�Tc4.E��%8��
{�A��X���H}LQ
             n�a�`�� gE� ���w$S� 

That an ugly output, and guess what?

bandit12@bandit:~/data$ file data.txt
data.txt: ASCII text

 Our file didn't change either :/ lets try again


bandit12@bandit:~/data$ xxd -r data.txt > data
bandit12@bandit:~/data$ ls
data  data.txt
bandit12@bandit:~/data$ cat data
ErBY  data2.bin C ��BZh91AY&SY��a� ���� ������O�����߲���������{���?� ;V� �� �h ��Pd�2 i� # '��@ A� � @hzOH
                         ��=A�dѣ�ѣjh �4ڃ@=CG�:i���42 F 4=@b4d2 ��
 2 ��BI�                                                         ��i�M
         �� X71H��z�$�-�Kŏ9�֟A  G
�� ?_����5 j��"S=�� T;��Fו[[� Q�jJ!v�%�cT'(�� � �1Q�J� ���!��5-K����>D��� �y
                                                                            �.�� X� e r_@�k � �� w� �Tj"5�K&\:>�LC��R*  �����  �5M���
                                                      �7�  �
� �l�T�< _n*� �#Q۠p&��X�H� :Ci@� qUQ%� �
                                       ��IM"��3�a �5n��٠��Q�0�,�v�.�� �����wq ?� �^K�k�  ӥ�~@ �HI1� � LDD\!�*�D�E��p:��* qOMY��r�'}>Wdjc�P�} "�Tc4.E��%8��
{�A��X���H}LQ
             n�a�`�� gE� ���w$S� 
?� �� 0 C bandit12@bandit:~/data$ 
So we converted  our hex into binary, the redirected into a file called data. That file was made when we redirected our output to it, it didn't exist before. It's a nice shortcut


bandit12@bandit:~/data$ file data
data: gzip compressed data, was "data2.bin", from Unix, last modified: Thu Jun 15 11:40:53 2017, max compression
bandit12@bandit:~/data$ 
Okay nice! Lets look up the man page for gzip

Compressed files can be restored to their original form using gzip -d or gunzip or zcat. If the original name saved in the compressed file is not suitable for its file system, a new name is constructed from the original one to make it legal.
gunzip takes a list of files on its command line and replaces each file whose name ends with .gz, -gz, .z, -z, _z or .Z and which begins with the correct magic number with an uncompressed file without the original extension. gunzip also recognizes the special extensions .tgz and .taz as shorthands for .tar.gz and .tar.Z respectively. When compressing, gzip uses the .tgz extension if necessary instead of truncating a file with a .tar extension.
gunzip can currently decompress files created by gzip, zip, compress, compress -H or pack. The detection of the input format is automatic. When using the first two formats, gunzip checks a 32 bit CRC. For pack, gunzip checks the uncompressed length. The standard compress format was not designed to allow consistency checks. However gunzip is sometimes able to detect a bad .Z file. If you get an error when uncompressing a .Z file, do not assume that the .Z file is correct simply because the standard uncompress does not complain. This generally means that the standard uncompress does not check its input, and happily generates garbage output. The SCO compress -H format (lzh compression method) does not include a CRC but also allows some consistency checks.
Files created by zip can be uncompressed by gzip only if they have a single member compressed with the 'deflation' method. This feature is only intended to help conversion of tar.zip files to the tar.gz format. To extract a zip file with a single member, use a command like gunzip <foo.zip or gunzip -S .zip foo.zip. To extract zip files with several members, use unzip instead of gunzip.
zcat is identical to gunzip -c. (On some systems, zcat may be installed as gzcat to preserve the original link to compress.) zcat uncompresses either a list of files on the command line or its standard input and writes the uncompressed data on standard output. zcat will uncompress files that have the correct magic number whether they have a .gz suffix or not.

Okay thats a long read relevant stuff only:
  • Compressed files can be restored to their original form using gzip -d or gunzip or zcat
  •  gunzip can currently decompress files created by gzip, zip, compress, compress -H or pack. 
  • zcat is identical to gunzip -c. (On some systems, zcat may be installed as gzcat to preserve the original link to compress.)
  • zcat will uncompress files that have the correct magic number whether they have a .gz suffix or not.
That last bullet is important, I used zcat last time I played this, so I wanted to try an alternative  

bandit12@bandit:~/data$ gzip -dc data
Pd�2 i� # '��@ A� � @hzOH�O�����߲���������{���?� ;V� �� �h ���Ѡ�4hh4� A�
                         ��=A�dѣ�ѣjh �4ڃ@=CG�:i���42 F 4=@b4d2 ��
 2 ��BI�                                                         ��i�M
         �� X71H��z�$�-�Kŏ9�֟A  G
�� ?_����5 j��"S=�� T;��Fו[[� Q�jJ!v�%�cT'(�� � �1Q�J� ���!��5-K����>D��� �y
                                                                            �.�� X� e r_@�k � �� w� �Tj"5�K&\:>�LC��R*  �����  �5M���
                                                      �7�  �
� �l�T�< _n*� �#Q۠p&��X�H� :Ci@� qUQ%� �
                                       ��IM"��3�a �5n��٠��Q�0�,�v�.�� �����wq ?� �^K�k�  ӥ�~@ �HI1� � LDD\!�*�D�E��p:��* qOMY��r�'}>Wdjc�P�} "�Tc4.E��%8��
{�A��X���H}LQ
             n�a�`�� gE� ���w$S� 
?� �bandit12@bandit:~/data$ ls
data  data.txt

It's a different output right? There isn't a new file?

?� �bandit12@bandit:~/data$ ls
data  data.txt
bandit12@bandit:~/data$ cat data
ErBY  data2.bin C ��BZh91AY&SY��a� ���� ������O�����߲���������{���?� ;V� �� �h ��Pd�2 i� # '��@ A� � @hzOH
                         ��=A�dѣ�ѣjh �4ڃ@=CG�:i���42 F 4=@b4d2 ��
 2 ��BI�                                                         ��i�M
         �� X71H��z�$�-�Kŏ9�֟A  G
�� ?_����5 j��"S=�� T;��Fו[[� Q�jJ!v�%�cT'(�� � �1Q�J� ���!��5-K����>D��� �y
                                                                            �.�� X� e r_@�k � �� w� �Tj"5�K&\:>�LC��R*  �����  �5M���
                                                      �7�  �
� �l�T�< _n*� �#Q۠p&��X�H� :Ci@� qUQ%� �
                                       ��IM"��3�a �5n��٠��Q�0�,�v�.�� �����wq ?� �^K�k�  ӥ�~@ �HI1� � LDD\!�*�D�E��p:��* qOMY��r�'}>Wdjc�P�} "�Tc4.E��%8��
{�A��X���H}LQ
             n�a�`�� gE� ���w$S� 
?� �� 0 C bandit12@bandit:~/data$ 

Okay I guess I'm going to make a new thing

 bbandit12@bandit:~/data$ gzip -dc data > data2
bandit12@bandit:~/data$ file data2
data2: bzip2 compressed data, block size = 900k
bandit12@bandit:~/data$ bzip -d data2
-bash: bzip: command not found
bandit12@bandit:~/data$ bzip2 -d data2
bzip2: Can't guess original name for data2 -- using data2.out
bandit12@bandit:~/data$ file data2.out
data2.out: gzip compressed data, was "data4.bin", from Unix, last modified: Thu Jun 15 11:40:53 2017, max compression
bandit12@bandit:~/data$ ls
data  data.txt  data2.out
bandit12@bandit:~/data$ gzip -dc data2.out > data3
bandit12@bandit:~/data$ file data3
data3: POSIX tar archive (GNU)
bandit12@bandit:~/data$  tar -xf data3
bandit12@bandit:~/data$ ls
data  data.txt  data2.out  data3  data5.bin
bandit12@bandit:~/data$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:~/data$ tar -xf data5.bin
bandit12@bandit:~/data$ ls
data  data.txt  data2.out  data3  data5.bin  data6.bin
bandit12@bandit:~/data$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:~/data$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:~/data$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:~/data$ tar -xf data6.bin.out
bandit12@bandit:~/data$ ls
data  data.txt  data2.out  data3  data5.bin  data6.bin.out  data8.bin
bandit12@bandit:~/data$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu Jun 15 11:40:53 2017, max compression
bandit12@bandit:~/data$ gzip -dc data8.bin > data4
bandit12@bandit:~/data$ ls
data  data.txt  data2.out  data3  data4  data5.bin  data6.bin.out  data8.bin
bandit12@bandit:~/data$ file data4
data4: ASCII text
bandit12@bandit:~/data$ cat data4
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
bandit12@bandit:~/data$ 


 

Hmm, relatively smooth sailing from here on out. -d typically meant decode. The "tar -xf" is pretty normal if you've ever had to extract a tarball before. I guessed that bzip2's decode switch was "-d" because I read the man page for gzip , I knew "tar -xf" before hand, I had to check the man page for xxd -r. All in all this was an easy level and mildly interesting. It forced me to think a little about "gzip" and read a bit.




Glowfish Contrast

Comments

  1. william hill login casino promo codes - Casinoland.jp
    1xbet - welcome bonus 100% up to €100 + 50 FS Bonus Code. Get your first 카지노사이트 deposit at the casino 퍼스트카지노 and get 50 william hill free spins, no deposit and

    ReplyDelete

Post a Comment

Popular posts from this blog

Thoughts on ISSA talk on using AI to automate security

Bandit Level 1