📦 OverTheWire Bandit Level 13: Reversing Hex Dumps and Multiple Compression Layers

Level 13 is a multi-step challenge that combines several skills: hex dump reversal, file type identification, and multiple compression formats. The password is buried deep—you'll need to reverse a hex dump, then decompress the file multiple times using different compression methods until you reach readable text.

Level 13 teaches you:

• Using xxd -r to reverse hex dumps
• Identifying file types with file command
• Decompressing gzip files with gunzip
• Decompressing bzip2 files with bzip2 -d
• Extracting tar archives with tar -xvf
• Iterative problem-solving with multiple compression layers

This level is more complex than previous ones—it requires multiple steps and teaches you to work through problems systematically. This is real-world stuff you'll encounter when analyzing compressed data, backups, and archived files.

---

🎯 The Objective

After logging into bandit12, your goal is to find the password for Level 13. The password is in a file called data.txt in your home directory. The file is a hex dump that has been repeatedly compressed with different compression methods.

What Level 13 teaches:

• Reversing hex dumps with xxd -r
• Identifying file types with file command
• Decompressing gzip files
• Decompressing bzip2 files
• Extracting tar archives
• Working through multiple compression layers iteratively

The challenge: The file starts as a hex dump. You need to reverse it, then repeatedly decompress it using different tools (gzip, bzip2, tar, etc.) until you reach ASCII text containing the password.

---

🔍 Understanding the Problem

Let's start by connecting to Level 12 and seeing what we're dealing with:

sshpass -p `cat bandit12` ssh bandit12@bandit.labs.overthewire.org -p 2220

Once connected, let's check the data.txt file:

cat data.txt | head -20

You should see a hex dump—lines of hexadecimal numbers and ASCII characters. It will look something like:

00000000: 1f8b 0808 2750 6455 0203 6461 7461 322e  ....'PdU..data2.
00000010: 6269 6e00 013d 02d2 fd42 5a68 3931 4159  bin..=...BZh91AY
00000020: 2653 597d 0d37 1800 0018 7fff ffff ffff  &SY}.7..........

The problem: How do you reverse this hex dump and then decompress the resulting file multiple times to get the password?

The answer: Use xxd -r to reverse the hex dump, then use file to identify the compression type, then decompress iteratively until you reach ASCII text.

---

🧠 Understanding Hex Dumps

Let's dive deeper into hex dumps, because understanding them helps:

What Is a Hex Dump?

A hex dump is a representation of binary data in hexadecimal format:

• Shows bytes as hexadecimal numbers (00-FF)
• Often includes ASCII representation on the right
• Used for debugging, analysis, and data transfer

Example hex dump:

00000000: 4865 6c6c 6f20 576f 726c 640a           Hello World.

Breaking it down:

• 00000000: — Offset (memory address)
• 4865 6c6c 6f — Hexadecimal bytes
• Hello World. — ASCII representation

Why Hex Dumps Exist

Hex dumps are used for:

• Debugging — Inspecting binary data
• Data transfer — Sending binary data as text
• Analysis — Examining file contents
• Forensics — Analyzing disk images and memory dumps

Reversing Hex Dumps

The xxd -r command reverses a hex dump back to binary:

• xxd — Creates hex dumps (or reverses them)
• -r — Reverse mode (hex dump → binary)

For Level 13: We use xxd -r to convert the hex dump back to a binary file.

---

📋 Step-by-Step Walkthrough

Step 1: Connect to Level 12

sshpass -p `cat bandit12` ssh bandit12@bandit.labs.overthewire.org -p 2220

Step 2: Reverse the Hex Dump

First, reverse the hex dump to create a binary file:

xxd -r data.txt > data.bin

Breaking this down:

• xxd -r — Reverses the hex dump (converts hex back to binary)
• data.txt — The input hex dump file
• > — Redirects output to a file
• data.bin — The output binary file

What this does: Converts the hex dump back to its original binary format.

Step 3: Identify the File Type

Now check what type of file data.bin is:

file data.bin

You should see something like "gzip compressed data" or similar. This tells you what compression method was used.

Step 4: Decompress Based on File Type

The file will be compressed multiple times. You'll need to decompress it iteratively. Here's the typical sequence:

First Compression: gzip

If file shows "gzip compressed data":

mv data.bin data.gz
gunzip data.gz

Breaking this down:

• mv data.bin data.gz — Renames the file to have .gz extension (required for gunzip)
• gunzip data.gz — Decompresses the gzip file (creates data)

Why rename? gunzip expects files to have a .gz extension. If the file doesn't have the extension, rename it first.

Second Compression: bzip2

Check the file type again:

file data

If it shows "bzip2 compressed data":

mv data data.bz2
bzip2 -d data.bz2

Breaking this down:

• mv data data.bz2 — Renames to .bz2 extension
• bzip2 -d — Decompresses bzip2 file (creates data or data.out)

Note: bzip2 -d may create a file with .out extension unless you specify otherwise.

Third Compression: gzip Again

Check the file type:

file data
# or file data.out (if bzip2 created that)

If it shows "gzip compressed data" again:

mv data data.gz
# or: mv data.out data.gz
gunzip data.gz

Fourth Compression: tar

Check the file type:

file data

If it shows "POSIX tar archive":

tar -xvf data

Breaking this down:

• tar -xvf — Extracts tar archive
  • -x — Extract
  • -v — Verbose (show files being extracted)
  • -f — File to extract

This will extract files from the tar archive. Check what was extracted:

ls -la

Continue Until ASCII

Keep checking file types and decompressing:

file <filename>

Continue decompressing until file shows "ASCII text". Then read the file:

cat <filename>

The password will be in that ASCII text file.

Step 5: Save the Password

Copy the password and save it:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit13

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit13 -NoNewline

Step 6: Connect to Level 13

sshpass -p `cat bandit13` ssh bandit13@bandit.labs.overthewire.org -p 2220

---

💡 Understanding Compression Formats

Let's dive deeper into the compression formats you'll encounter:

gzip

What it is: GNU zip compression Extension: .gz Decompress: gunzip file.gz or gzip -d file.gz Identify: file shows "gzip compressed data"

Example:

file data.gz
# Output: gzip compressed data

gunzip data.gz
# Creates: data (decompressed)

bzip2

What it is: Burrows-Wheeler compression Extension: .bz2 Decompress: bzip2 -d file.bz2 Identify: file shows "bzip2 compressed data"

Example:

file data.bz2
# Output: bzip2 compressed data

bzip2 -d data.bz2
# Creates: data or data.out (decompressed)

tar

What it is: Tape archive (not compression, but archiving) Extension: .tar Extract: tar -xvf file.tar Identify: file shows "POSIX tar archive" or "tar archive"

Example:

file data.tar
# Output: POSIX tar archive

tar -xvf data.tar
# Extracts files from archive

Note: tar archives can be compressed too (.tar.gz, .tar.bz2), but in Level 13, you'll encounter them separately.

---

🛠️ The Complete Process

Here's a summary of the typical Level 13 process:

# Step 1: Reverse hex dump
xxd -r data.txt > data.bin

# Step 2: Check file type
file data.bin
# Output: gzip compressed data

# Step 3: Decompress gzip
mv data.bin data.gz
gunzip data.gz

# Step 4: Check file type
file data
# Output: bzip2 compressed data

# Step 5: Decompress bzip2
mv data data.bz2
bzip2 -d data.bz2

# Step 6: Check file type
file data.out
# Output: gzip compressed data

# Step 7: Decompress gzip again
mv data.out data.gz
gunzip data.gz

# Step 8: Check file type
file data
# Output: POSIX tar archive

# Step 9: Extract tar
tar -xvf data

# Step 10: Check extracted files
ls -la
file data5.bin  # (or whatever was extracted)

# Step 11: Continue decompressing...
# (Repeat until you get ASCII text)

# Step 12: Read the password
cat <final_ascii_file>

Important: The exact sequence may vary, but the process is the same:

1. Check file type with file
2. Decompress/extract based on type
3. Repeat until you get ASCII text

---

🔒 Real-World Context

Why does this matter in penetration testing?

In real security assessments, you'll constantly encounter compressed and archived files:

1. Backup Files

Backup files are often compressed:

• Database backups (.sql.gz, .sql.bz2)
• Configuration backups (.tar.gz)
• Log archives (.log.gz)

Example: Extracting compressed backups:

gunzip backup.sql.gz
# or
tar -xzf backup.tar.gz

2. Malware Analysis

Malware often uses compression to:

• Hide payloads
• Reduce file size
• Obfuscate code
• Package multiple files

Example: Analyzing compressed malware:

file suspicious_file
# Determine compression type
# Decompress accordingly

3. Log File Analysis

Log files are often compressed:

• Old logs (.log.gz, .log.bz2)
• Rotated logs (.log.1.gz)
• Archived logs (.tar.gz)

Example: Analyzing compressed logs:

gunzip access.log.gz
grep "error" access.log

4. Data Extraction

When extracting data from systems:

• Compressed dumps
• Archived files
• Nested archives
• Multiple compression layers

Example: Extracting nested archives:

tar -xzf archive.tar.gz
cd extracted_directory
bzip2 -d data.bz2

5. Forensics

In digital forensics, you'll encounter:

• Compressed disk images
• Archived evidence
• Nested compression
• Hex dumps of memory

Example: Processing forensic data:

xxd -r memory.dump > memory.bin
file memory.bin
# Decompress based on type

The skill you're learning: How to systematically work through multiple compression layers. This is essential when:

• Analyzing backups
• Processing archived data
• Extracting compressed files
• Working with nested archives
• Handling hex dumps and binary data

---

🚨 Common Mistakes

Mistake 1: Not Checking File Type

Wrong:

xxd -r data.txt > data.bin
gunzip data.bin
# Wrong! File might not be gzip

Right:

xxd -r data.txt > data.bin
file data.bin
# Check type first, then decompress accordingly

Why: Different compression formats need different tools. Always check the file type first.

Mistake 2: Wrong File Extension

Wrong:

file data.bin
# Shows: gzip compressed data
gunzip data.bin
# Error! gunzip expects .gz extension

Right:

file data.bin
# Shows: gzip compressed data
mv data.bin data.gz
gunzip data.gz
# Works!

Why: Some decompression tools require specific file extensions. Rename the file if needed.

Mistake 3: Not Continuing the Process

Wrong:

gunzip data.gz
cat data
# Stops after first decompression

Right:

gunzip data.gz
file data
# Check type, continue decompressing if needed

Why: The file might be compressed multiple times. Keep checking and decompressing until you get ASCII text.

Mistake 4: Wrong Decompression Tool

Wrong:

file data
# Shows: bzip2 compressed data
gunzip data
# Wrong tool! Use bzip2 -d

Right:

file data
# Shows: bzip2 compressed data
bzip2 -d data
# Correct tool

Why: Each compression format needs its specific tool. Match the tool to the file type.

Mistake 5: Not Extracting Tar Contents

Wrong:

file data
# Shows: POSIX tar archive
cat data
# Shows binary data, not the contents

Right:

file data
# Shows: POSIX tar archive
tar -xvf data
# Extracts files from archive
ls -la
# Check what was extracted

Why: Tar archives contain files—you need to extract them, not read the archive directly.

---

💻 Practice Exercise

Try these to reinforce what you learned:

1. Create a hex dump:

   echo "Hello" | xxd > test.hex
   cat test.hex
   

2. Reverse the hex dump:

   xxd -r test.hex
   # Output: Hello
   

3. Create compressed files:

   echo "test" > test.txt
   gzip test.txt
   file test.txt.gz
   

4. Decompress:

   gunzip test.txt.gz
   cat test.txt
   

5. Clean up:

   rm test.hex test.txt
   

---

🎓 Understanding xxd Command

This is a good time to understand xxd better:

Creating Hex Dumps

Basic usage:

xxd filename

Creates hex dump of a file

Reversing Hex Dumps

Reverse mode:

xxd -r hexfile > binaryfile

Converts hex dump back to binary

Common Options

-r — Reverse mode (hex → binary) -p — Plain hexdump (no offsets or ASCII) -l length — Limit number of bytes

For Level 13: We use xxd -r to reverse the hex dump.

---

🔗 What's Next?

Level 14 introduces SSH keys—a more secure way to authenticate. You'll learn to use SSH private keys to connect to servers without passwords, which is essential for real-world security work.

Before moving on, make sure you:

• ✅ Successfully reversed the hex dump with xxd -r
• ✅ Can identify file types with file command
• ✅ Know how to decompress gzip files
• ✅ Know how to decompress bzip2 files
• ✅ Know how to extract tar archives
• ✅ Can work through multiple compression layers iteratively

---

📚 Key Takeaways

After completing Level 13, you should understand:

1. Hex dumps — Representation of binary data in hexadecimal
2. xxd -r command — Reverses hex dumps back to binary
3. File type identification — Using file to determine compression type
4. Multiple compression formats — gzip, bzip2, tar
5. Iterative decompression — Working through multiple layers systematically

---

🎯 Quick Reference

Problem	Solution	Example
Reverse hex dump	Use xxd -r	xxd -r file.hex > file.bin
Check file type	Use file	file filename
Decompress gzip	Use gunzip	gunzip file.gz
Decompress bzip2	Use bzip2 -d	bzip2 -d file.bz2
Extract tar	Use tar -xvf	tar -xvf file.tar
Rename file	Use mv	mv oldname newname

---

Questions about Level 13 or working with hex dumps and compression? Reach out directly:

• Email: m1k3@msquarellc.net
• Phone: (559) 670-3159
• Schedule: Book a free consultation

---

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice