The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
This seems like a job for cat, and grep again. Except this time we will probably want to leverage regex since we know the password is preceded by several ‘=’ characters.
Binary vs String data
Oops. This file is binary. We don’t want to dump all of it, as there will be control characters, and all kinds of other potentially non printable characters.
There is a magical command called strings which will find all the strings in the file, and output them. This may not seem like a big deal, but with a few pieces of knowledge you can extract all kinds of info from binaries.
A few years ago, I had this nagging feeling that AWS credentials were hard coded in a binary since I knew it connected to S3. I used
strings <binary_name> to dump all strings. There were a LOT. This binary was HUGE.
Knowning that the AWS access key id starts with
AKI, i just piped that output through grep and found the access key id. It was easy to grab the aws secret access key from there, and then you have api credentials as that user with whatever permission they granted it.
Grep has tons of support for regex. In our case, we just needed simple functionality. The
^ char tells regex we want to search for the next characters at the beginning of the string. Below shows the difference between both starts with === and just ===.