📝 OverTheWire Bandit Level 10: Extracting Strings and Finding Patterns

Level 10 combines skills from previous levels—you'll use strings to extract readable text from a binary file, then use grep to filter for specific patterns. This is a common workflow in penetration testing when dealing with binary files that contain embedded readable strings.

Level 10 teaches you:

• Using strings to extract human-readable text from binary files
• Using grep to search for specific patterns (like ==)
• Combining strings and grep with pipes
• Finding passwords hidden in binary data
• Understanding why strings makes binary files readable

This level builds on what you learned in Level 8 (grep) and introduces strings for binary file analysis. This combination is essential for real-world security work.

---

🎯 The Objective

After logging into bandit9, your goal is to find the password for Level 10. The password is in a file called data.txt in your home directory. The file is binary (not plain text), but it contains some human-readable strings. The password is located after several = (equals) characters.

What Level 10 teaches:

• Using strings to extract readable text from binary files
• Using grep to search for patterns containing =
• Combining commands with pipes
• Finding passwords in binary data
• Understanding binary vs. text files

The challenge: The file is binary, so you can't just cat it and read it. You need to extract the human-readable strings first, then filter for lines containing = characters to find the password.

---

🔍 Understanding the Problem

Let's start by connecting to Level 9 and seeing what we're dealing with:

sshpass -p `cat bandit9` ssh bandit9@bandit.labs.overthewire.org -p 2220

Once connected, let's check the data.txt file:

ls -la data.txt
file data.txt

The file command tells you what type of file it is. You should see something like "data" or "binary" instead of "ASCII text".

The problem: How do you extract readable text from a binary file and find the password that appears after = characters?

The answer: Use strings to extract human-readable strings, then use grep to filter for lines containing =.

---

🧠 Understanding the strings Command

Let's dive deeper into strings, because it's incredibly useful for binary file analysis:

What strings Does

The strings command scans binary files for printable character sequences:

strings filename

What it does:

• Scans the file for sequences of printable characters
• Extracts strings that are at least 4 characters long (by default)
• Outputs only human-readable text
• Ignores binary data, control codes, and non-printable characters

Why this matters: Binary files contain non-text data, but they often have readable strings embedded in them. The strings command extracts these readable parts, making it easier to find passwords, URLs, error messages, and other useful information.

Common strings Usage

Basic usage:

strings filename

With minimum length:

strings -n 10 filename
# Extracts strings at least 10 characters long

For Level 10: We use strings data.txt to extract all readable strings from the binary file.

---

📋 Step-by-Step Walkthrough

Step 1: Connect to Level 9

sshpass -p `cat bandit9` ssh bandit9@bandit.labs.overthewire.org -p 2220

Step 2: Check the File Type

Let's see what type of file data.txt is:

file data.txt

You should see something like "data" or "binary" instead of "ASCII text". This confirms it's not a plain text file.

Step 3: Try Reading It Directly (Won't Work)

Let's see what happens if we try to read it like a text file:

cat data.txt | head -20

You'll see garbage characters, control codes, and binary data. This won't help us find the password.

Step 4: Extract Human-Readable Strings

Now use strings to extract readable text:

strings data.txt

What strings does:

• Scans the binary file for printable character sequences
• Extracts strings that are human-readable
• Outputs only text that could be meaningful

You should see many readable strings, but most won't be relevant. We need to filter for lines containing = characters.

Step 5: Filter for Lines Containing =

Use grep to filter for lines that contain =:

strings data.txt | grep "=="

Breaking this down:

• strings data.txt — Extracts human-readable strings from the binary file
• | — Pipes the output to the next command
• grep "==" — Filters for lines containing == (two equals signs)

Why ==? The password appears after several = characters. Searching for == helps find lines with multiple equals signs, which is more specific than just =.

Output: You should see one or more lines that contain ==. One of them will have the password after the equals signs. It might look something like:

========== thepasswordishere

Step 6: Extract the Password

Look for the line that starts with multiple = characters. The password is the string that appears after those equals signs. Copy that string—that's your password for Level 10.

Step 7: Save the Password

Copy the password and save it:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit10

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit10 -NoNewline

Step 8: Connect to Level 10

sshpass -p `cat bandit10` ssh bandit10@bandit.labs.overthewire.org -p 2220

---

💡 Understanding Why strings Works

Let's dive deeper into why strings is necessary:

Binary Files vs. Text Files

Text files:

• Contain readable characters
• Can be opened in text editors
• Show as "ASCII text" with file command
• Can be read directly with cat

Binary files:

• Contain non-text data (executable code, images, data formats)
• Show as "data" or specific binary types with file command
• Show garbage when read with cat
• Need special tools like strings to extract readable parts

Why Binary Files Contain Readable Strings

Binary files often contain embedded readable strings:

• Executables — Error messages, help text, version info
• Data files — Passwords, URLs, configuration data
• Memory dumps — Passwords, keys, session tokens
• Firmware — Default passwords, configuration strings

The strings command extracts these readable parts, making it possible to find passwords and other useful information in binary files.

---

🛠️ Alternative Methods

Here are different ways to find the password:

Method 1: strings | grep "==" (Recommended)

strings data.txt | grep "=="

Pros: Simple, efficient, standard approach Cons: None really

Method 2: Using grep with Single =

strings data.txt | grep "="

Pros: Simpler pattern Cons: Might match too many lines (any line with a single =)

Note: Using == is more specific and reduces false positives.

Method 3: Using strings with Minimum Length

strings -n 5 data.txt | grep "=="

Pros: Filters out very short strings Cons: Might miss short passwords (unlikely for Level 10)

Method 4: Manual Search (Not Recommended)

strings data.txt
# Manually scan through hundreds of lines...

Pros: Simple, no new commands Cons: Extremely slow, error-prone, nearly impossible

For Level 10, use Method 1 — it's the most efficient and teaches you valuable skills.

---

🔒 Real-World Context

Why does this matter in penetration testing?

In real security assessments, you'll constantly encounter binary files that contain readable strings:

1. Malware Analysis

When analyzing malware, you'll use strings to find:

• Command and control (C2) server addresses
• Encryption keys
• File paths
• Registry keys
• API endpoints

Example: Finding C2 servers in malware:

strings malware.exe | grep -E 'http[s]?://'

2. Executable Analysis

When analyzing executables, you'll find:

• Hardcoded passwords
• API keys
• Database connection strings
• Configuration data
• Error messages that reveal information

Example: Finding hardcoded credentials:

strings program.exe | grep -i "password\|passwd\|pwd"

3. Memory Dumps

When analyzing memory dumps, you'll extract:

• Passwords from memory
• Encryption keys
• Session tokens
• Process information

Example: Extracting passwords from memory dump:

strings memory.dump | grep -E '^[A-Za-z0-9]{8,}$'

4. Firmware Analysis

When analyzing firmware, you'll find:

• Default passwords
• Backdoor credentials
• Configuration data
• Version information

Example: Finding default passwords in firmware:

strings firmware.bin | grep -i "admin\|password\|default"

5. Data File Analysis

When analyzing data files, you'll extract:

• User credentials
• API keys
• Configuration strings
• Sensitive data

Example: Finding credentials in data files:

strings datafile.bin | grep -E 'password|pwd|secret'

6. Combining with Other Tools

Real-world analysis often combines multiple tools:

Example: Finding and analyzing potential passwords:

strings binaryfile | grep "==" | grep -E '^[A-Za-z0-9]{20,}$'

The skill you're learning: How to extract readable data from binary files and filter for specific patterns. This is essential when:

• Analyzing malware
• Examining executables
• Processing memory dumps
• Analyzing firmware
• Extracting data from binary formats
• Finding hidden credentials or keys

---

🚨 Common Mistakes

Mistake 1: Trying to Read Binary Files with cat

Wrong:

cat data.txt | grep "=="
# Won't work! Binary file, grep can't process it properly

Right:

strings data.txt | grep "=="
# Extract strings first, then filter

Why: Binary files contain non-text data. You need strings to convert it to text first.

Mistake 2: Wrong grep Pattern

Wrong:

strings data.txt | grep "="
# Finds ALL lines with = anywhere, too many results

Right:

strings data.txt | grep "=="
# More specific, finds lines with multiple equals

Why: Using == is more specific and reduces false positives. It targets lines with multiple equals signs, which is more likely to be the password line.

Mistake 3: Not Using strings First

Wrong:

grep "==" data.txt
# Won't work - binary file, grep can't process it properly

Right:

strings data.txt | grep "=="
# Extract strings first, then filter

Why: grep works on text, but data.txt is binary. You need strings to convert it to text first.

Mistake 4: Reading the Wrong Part of the Output

Confusion: "I see multiple lines with ==—which one is the password?"

Clarification:

• Look for the line that starts with multiple = characters
• The password is usually the longest or most complete-looking string after the = characters
• It might be formatted like ========== passwordhere or similar

For Level 10: The password line typically starts with several = characters and contains a complete password string after them.

Mistake 5: Not Understanding File Types

Confusion: "Why can't I just cat the file?"

Clarification:

• Text files contain readable characters
• Binary files contain non-text data (executables, images, data formats)
• The file command tells you what type a file is
• Binary files need special tools like strings to extract readable data

Check file type:

file data.txt
# Tells you if it's text or binary

---

💻 Practice Exercise

Try these to reinforce what you learned:

1. Create a test binary file:

   echo -e "This is text\n========== secretpassword\nMore text" > test.txt
   # Note: This creates a text file, but you can practice with it
   

2. Use strings on it:

   strings test.txt
   # Should show readable strings
   

3. Filter for lines with ==:

   strings test.txt | grep "=="
   # Should show: ========== secretpassword
   

4. Try with a real binary (if available):

   strings /bin/ls | grep "==" | head -5
   # Shows strings from the ls executable containing ==
   

5. Find specific patterns:

   strings /bin/ls | grep -i "error\|version"
   # Finds error messages or version strings
   

6. Clean up:

   rm test.txt
   

---

🎓 Understanding grep Patterns

This is a good time to understand grep patterns better:

Basic Patterns

Literal text:

grep "==" file.txt
# Matches lines containing exactly "=="

Case-insensitive:

grep -i "password" file.txt
# Matches "password", "Password", "PASSWORD", etc.

Invert match:

grep -v "error" file.txt
# Shows lines that DON'T contain "error"

Pattern Matching

Multiple characters:

grep "==" file.txt
# Matches lines with two consecutive equals signs

Why == vs =?

• = matches any line with a single equals sign (very common)
• == matches lines with two consecutive equals signs (more specific)
• For Level 10, == is more specific and reduces false positives

For Level 10: We use grep "==" to find lines containing multiple equals signs, which is more likely to be the password line.

---

🔗 What's Next?

Level 11 introduces base64 encoding—a common way to encode data. You'll learn how to decode base64-encoded strings to reveal hidden passwords.

Before moving on, make sure you:

• ✅ Understand the difference between text and binary files
• ✅ Can use strings to extract readable text from binary files
• ✅ Know how to use grep with patterns (like ==)
• ✅ Can combine strings and grep to filter results
• ✅ Understand why binary files need special tools

---

📚 Key Takeaways

After completing Level 10, you should understand:

1. Binary vs. text files — Binary files contain non-text data and need special tools
2. strings command — Extracts human-readable text from binary files
3. grep patterns — Using specific patterns like == to reduce false positives
4. Command chaining — Combining strings and grep to filter results
5. File type identification — Using file to determine if a file is text or binary

---

🎯 Quick Reference

Problem	Solution	Example
Extract readable strings from binary	Use strings	strings binaryfile
Filter lines with pattern	Use grep	grep "=="
Extract and filter	Chain commands	strings file | grep "=="
Identify file type	Use file	file filename
Find longer strings	Use -n option	strings -n 10 file

---

Questions about Level 10 or using strings and grep? Reach out directly:

• Email: m1k3@msquarellc.net
• Phone: (559) 670-3159
• Schedule: Book a free consultation

---

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice