Bandit Level 12, OverTheWire, Knowledge

The Goal

The password is stored in data.txt, which is a hexdump of a file that has been repeatedly compressed. The level also suggests creating a temporary working directory using mktemp -d.

Setting Up a Workspace

Since the home directory is read-only, the work happens in a temporary directory:

bandit12@bandit:~$ mktemp -d

/tmp/tmp.KgWQ3lQ68o

bandit12@bandit:~$ cp data.txt /tmp/tmp.KgWQ3lQ68o

bandit12@bandit:~$ cd /tmp/tmp.KgWQ3lQ68o

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ ls

data.txt

Decompression Chain

The first step is reversing the hexdump back to binary using xxd -r. The resulting file needs a .gz extension for gunzip to accept it:

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ xxd -r data.txt revert.gz

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ file revert.gz

revert.gz: gzip compressed data, was "data2.bin", last modified: Tue Oct 14 09:26:00 2025, max compression, from Unix, original size modulo 2^32 572

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ gunzip -kN revert.gz

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ ls

data2.bin  data.txt  revert  revert.gz

data2.bin is bzip2 compressed. bunzip2 cannot infer the output name, so it uses data2.bin.out:

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ file data2.bin

data2.bin: bzip2 compressed data, block size = 900k

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ bunzip2 -k -9 data2.bin

bunzip2: Can't guess original name for data2.bin -- using data2.bin.out

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ file data2.bin.out

data2.bin.out: gzip compressed data, was "data4.bin", last modified: Tue Oct 14 09:26:00 2025, max compression, from Unix, original size modulo 2^32 20480

Rename to .gz and decompress again:

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ gunzip -kN data3.gz

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ ls

data2.bin  data3.gz  data4.bin  data.txt  revert  revert.gz

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ file data4.bin

data4.bin: POSIX tar archive (GNU)

Two layers of tar archives follow, each containing the next compressed file:

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ tar -xf data4.bin

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ file data5.bin

data5.bin: POSIX tar archive (GNU)

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ tar -xf data5.bin

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ file data6.bin

data6.bin: bzip2 compressed data, block size = 900k

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ bunzip2 -k9 data6.bin

bunzip2: Can't guess original name for data6.bin -- using data6.bin.out

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ file data6.bin.out

data6.bin.out: POSIX tar archive (GNU)

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ mv data6.bin.out data7.bin

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ tar -xf data7.bin

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ file data8.bin

data8.bin: gzip compressed data, was "data9.bin", last modified: Tue Oct 14 09:26:00 2025, max compression, from Unix, original size modulo 2^32 49

One final decompression:

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ mv data8.bin data8.gz

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ gunzip -kN data8.gz

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ file data9.bin

data9.bin: ASCII text

bandit12@bandit:/tmp/tmp.KgWQ3lQ68o$ cat data9.bin

The password is password

Commands Covered

mktemp -d, create a temporary directory with a unique name
xxd -r, reverse a hexdump back to binary
file <name>, identify the type of a file
gunzip -kN, decompress gzip, keeping the original and restoring the original filename
bunzip2 -k, decompress bzip2, keeping the original file
tar -xf, extract a tar archive

← Level 11

Level 13 →

Bandit | Level 12 → Level 13

The Goal

Setting Up a Workspace

Decompression Chain

Commands Covered