 What is up, everybody? Welcome back to another YouTube video. My name is John Hammond, and we are still looking at the Linux Offset Club. You can find online, just an online war game for some Linux stuff, and let's get back to where we were. I'm going to change the directory, get us back into the folder that we've dedicated for this stuff, and we had just gotten the password for user 10, which we saw was Sharkbait, kind of a different format than what we were used to, because it was originally just an MD5 hash that we were able to see in the previous user 9 account. So let's paste that password in. Hopefully my connection will work through. Oh, am I right or wrong? Okay, cool. I didn't paste it all right. Sweet. What do we have here? Password.text. Whoa! Lot of randomness. Okay, whatever. What is that other file? WordCloud. Text. WordCloud in order. Hmm, so I thought this was pretty peculiar when I first looked at it. Keep in mind I am running through these challenges kind of, not, I can't say backwards, but I have done this already. I have gone through all these solutions, and I know what I'm doing already. So I want to say that, okay, what this is trying to tell us is that everything in this password file should be made into a WordCloud. I don't know where my accent came from when I slurred that word, whatever. They should be made into a WordCloud. So if you were to Google WordCloud, you can try this thing that I found on Google. I wasn't able to paste anything in there. Maybe if I, will that work? Okay, no, it's not in the format that it wanted. So I ignored this one. I went to Wordle, which is where I originally kind of heard of this idea. And then I gave it all those words and it didn't work. I waited here for a little bit and nothing happened. So, okay, I moved on. I went to the WordCloud generator where I could just paste this in, hit the go button, and I found Angry Major Watch. And I'm assuming that this is just by the, like I said, in order, just how we saw the file, in order of the size, the words, or how big that they're seeing. Originally, when I actually solved this challenge, like for real, for the very first time, I didn't do this because I had no idea that it was referring to a real WordCloud. The way I did this was I checked the file and then I separated these all into new lines by TR to transform and kind of replace. I removed all the spaces with new line characters so they were each on their own individual line. And then what I did was I sorted them so all the duplicates would come together. And I'm assuming in order, I guess, I don't know. I put them in unique so they were all one by one. And then I used Tax C to note the count that they, all these words had. And a lot of these kind of had strange duplicates, right? Like each of them are all occurring like four times. That number four was the most common. So what I actually, I ignored all of those four words, all the ones that came in four times. I used Greptac V to inverse what I was searching for. And then I found Angry Major Watch having other occurrences more than the other words. Cool. So I essentially did the same process that Wordle or that WordCloud was doing just through Linux commands. Thought I would share that with you. The password is Angry Major Watch all as those words. That's user11.tex, Angry Major Watch. No spaces in between. Let's jump out of this and paste that into user11 and we are logged in. That works. All right, cool. Now what do we got here? Whoa. All right. Long file. Don't want to search through that by hand. What are we looking for here? Let's ask ourselves. Well, all we care about is a password, right? Let's check if there is any notion of password in here. Nope, not like that. What if we make it case insensitive? Oh, okay. Yeah, we have a hit. So all I did was I catted that file and piped it into Grep, piped it so that standard output, everything that cat spat out, we could just give to Grep. And I don't need to supply a file name because it's already being input into Grep. And we're just looking for password. We're supplying to Grep what we want to actually find. I use tag I for case insensitive because it looks like password match with the capital P and that's the password that we want. Nice. Okay, cool. Let's save that as user12.txt. Cool. Break out of this guy, move into user12 and let's try and solve this one. Catpasser.txt. Whoa, okay. A lot of base64. We know now that from kind of another video or anything else I've kind of covered that probably this string of random looking characters, a lot of capitalization and kind of numbers. This looks like base64. And if you've never seen base64 before, shame on you. I'm just kidding, not really. But it's a super common kind of encoding that you'll see in a lot of capture flag competitions for one thing. But it's just kind of used a lot to hide stuff, hide text, hide data because it's another form of encoding, whatever. This is a good example. You can always tell when it's base64 just by trailing equal signs because it has to be a multiple of four in length. So you'll see maybe zero, one, two, or three equal signs at the end just that it's used for padding. But you get used to seeing it enough that you'll be able to pick it up just with your eyes, get a lot of random capitalization letters and numbers and letters and stuff like that. Okay. So if this is base64, we can pipe this into the base64 command. There is one that's built into Linux. By default, it encodes into base64. But if you give it the tack D argument, it will decode. Okay. But it looks like it's still a lot of giant base64 stuff. Do I decode it again? It's still base64. Well, hmm, okay. So I'm thinking right now this is recursive base64. It's some message, the password that has been base64 encoded and then encoded again and encoded again and encoded again, et cetera. So we would have to just infinitely or who knows how long for how many times we would have to keep decoding this over and over and over again. And we don't know how to do this by hand, right? That's going to suck. So let's do this in a smart way. I'm going to make a directory for me in the temporary directory. Okay, whatever that exists. Let's just call it John two. And let's copy that password into temp John two, just so I have a place to live because I'm going to make a lot of files in this process. What I want to do is I want to kind of drill down into this base64 over and over and over again, this base64 message of the string that's been encoded over and over and over again. And I want to decode it as quickly as I can. So the way that I do this is I actually take this original file and I move it to something called zero or zero dot text. So that way I can use a numeric value for what I've actually kind of made here. And I can keep I'm using zero rather than one, because I'm going to refer to this, this file that I'm currently looking at backwards. I'm going to say, okay, I'm going to iterate from one to whoever much I want. And then I'll use one minus one or I'll use like the previous value as an as I'm iterating through these numbers to refer to the last file that I was using. So I got to start here with the zero dot text. This probably doesn't make a whole lot of sense as I'm talking through it, but I'll show it to you in code right now. So also a four I in one, two, I guess 50. And then we'll we'll just echo I right now. As you can see, okay, I'm counting one to 50. And let's get another command in here, let's say let so I can use math and bash. Let's let P equal to the value of I minus one. Cool. So now I can echo I and P. So I being my previous value. Great. I can refer to the previous value in that iteration that I'm looping through with that loop. This is just a syntax for a one line kind of inline for loop and bash. Normally you do this with a do and a done acting as your code blocks, maybe in a text editor, but for our quick and dirty stuff in one line. This will work just fine for us. I'm just using semicolons to denote. Okay, here's the start of a statement in the end of one in this block. And it's all, like I said, in one line. So okay, now that we're using let in that tack P to note the previous variable. We can say base 64 tack decode tack P dot tax dollar sign P to note the previous value. So zero in this case, right? The first iteration is zero. And let's put that to I dot text. So now we're going zero, decoded redirected to one, and then one decoded redirected to two, and then two decoded redirected to three. And it's making this loop for us and kind of moving across all of these files. Once we kind of run the crank on that, eventually we get an error. Okay, maybe we didn't hit as far as we thought we would. But now we have all these text files from everything that we've made. So how big are them? How big are they? You can see as the numbers kind of change, the file size decreases because we are decoding these. So let's check out the, sorry, I don't know why I keep getting accents. Let's check out the smallest thing we've got right now 41 dot text 41 dot text. Huh. Okay, it has a string in it password dot text, whatever. What about, what came out of that, what came before that 40 dot text? What is 40 dot text? Okay, that still looks like base 64. And you can, you can see it is because of the equal sign here. So what the heck is 41 dot text? It looks like it has a password dot text file name in it. So what is this? It's clearly not a text file. Let's run a file on it 41 dot text. Oh, and it thinks it's GZIP compressed data. All right, so let's move 41 dot text to pass dot GZ. Now pass dot GZ is or was password dot text and let's gun zip that. Let's G unzip pass dot GZ. Looks like it worked. Now we have a password dot text file. Let's check that out. No, no, no, that's the original one. So what happened here? Well, okay, our, excuse me, our pass dot GZ isn't there anymore. Now it's just pass. What is that? It looks like it's just ASCII text. There it is. Awesome. There is the password for user 13. Let's check that out. Linux offset user 13 dot text, paste that in. Get out of here. Try an association with that user. Paste it in and we are logged in. Perfect. Okay, levels and users 10 through 12 complete. Let's finish up the series with users 13 through 15 in the next video. Thank you guys so much for watching. I hope you guys are really enjoying these. I hope they're kind of a fun, quick series and you're still having a good time with them. Learn a few things. See you in the next video.