Decoding base64 encoded data from the command line and why recognising and reversing encoding schemes is an essential skill in every SOC analyst's toolkit.

Introduction

Day 11. Bandit Level 10 to Level 11. The previous level dealt with a file that was unreadable because it was binary. This level presents a file that is completely readable but makes no sense. The content looks like random characters arranged in a long string. It is not random. It is base64 encoded data and decoding it takes a single command.

This level introduces encoding as a concept distinct from encryption. Base64 is not a security mechanism. It is a way of representing binary data as printable text so it can be safely transmitted or stored in systems that only handle text. Attackers use it constantly to obscure payloads, commands and stolen data because it looks unfamiliar to anyone who does not recognise the format immediately.

By the end of this article you will know how to identify base64 encoded content, decode it from the command line and understand why this skill appears in malware analysis, phishing investigation and incident response on a regular basis.

Level Objective

The password for Level 11 is stored in a file called data.txt in the home directory of bandit10. The file contains a single base64 encoded string. The objective is to decode that string and read the password it contains. No searching required. No filtering. Just recognising the encoding and reversing it.

Approach

I logged in using the password retrieved from Level 9 to Level 10:

ssh bandit10@bandit.labs.overthewire.org -p 2220

The banner appeared and the prompt changed to bandit10@bandit:~$. I ran ls and confirmed data.txt was in the home directory. I read it with cat:

cat data.txt

The output was a long string of seemingly random uppercase and lowercase letters, numbers and occasional equals signs at the end. That trailing equals sign is one of the clearest indicators of base64 encoding. Base64 uses padding characters at the end of a string to make the total length a multiple of four.

Logged into bandit10 via SSH on port 2220.

Decoding it required one command using the built-in base64 tool with the decode flag:

base64 -d data.txt

The decoded output printed immediately to the terminal. It read as a plain English sentence containing the password for Level 11.

Password for Level 11 retrieved.

Commands Used

# Connect to the Bandit server as bandit10 using the Level 10 password

ssh bandit10@bandit.labs.overthewire.org -p 2220

# List the home directory to confirm data.txt is present

ls

# Read the file to see the encoded content

cat data.txt

# Decode the base64 encoded content and print the result

base64 -d data.txt

Command Breakdown

base64 -d data.txt

Reads the base64 encoded content of data.txt and decodes it back to its original form. The -d flag tells the tool to decode rather than encode. Without this flag base64 would encode the file content rather than reverse it.

base64

A command-line tool that handles base64 encoding and decoding. It is available by default on Linux and macOS systems. It can read from a file or from piped input, making it easy to combine with other tools in a pipeline.

-d

The decode flag. This is the only flag needed for this level. It reverses the base64 encoding and outputs the original data as readable text.

Trailing equals signs

A visual indicator of base64 encoding. Base64 strings end with one or two equals signs when the input data length is not evenly divisible by three. Recognising this pattern in log files, email headers or script content is a useful quick-identification skill.

Lesson Learned

The main technical takeaway is that base64 is encoding, not encryption. Encoding transforms data into a different format for compatibility or transport reasons. It is fully reversible by anyone with the right tool and no key or password is required to decode it. This distinction matters enormously in security work because base64 encoded content is sometimes mistaken for encrypted content, which changes how an analyst approaches it.

What made this level click was how fast the solution was once the encoding was recognised. The challenge was not the command. The challenge was knowing what you were looking at in the first place. Training your eye to recognise base64 content by its character set and trailing padding is a skill that pays off every time you encounter it in a log or a suspicious file.

Going forward I will check any unfamiliar string for base64 indicators before spending time trying to parse it as plain text. Recognition first, then decoding takes one command.

• base64 -d filename — decode a base64 encoded file

• echo "encodedstring" | base64 -d — decode a base64 string directly from the terminal

• base64 filename — encode a file or string into base64 format

• cat filename | base64 — pipe file content into base64 for encoding

• base64 -d filename | file — — decode and immediately check the file type of the result

🔴 SOC Analyst Insight

Base64 encoding is one of the most commonly used obfuscation techniques in malicious scripts, phishing emails and malware payloads. PowerShell commands delivered through phishing attacks are almost always base64 encoded to bypass email filters and avoid keyword detection. When an analyst examines a suspicious email attachment or a flagged script, encoded content is one of the first things to look for and one of the first things to decode.

# Decode a base64 encoded PowerShell command extracted from a suspicious email attachment

echo "cGluZyAxOTIuMTY4LjEuMQ==" | base64 -d

The command above decodes a base64 string extracted from a suspicious script. In a real investigation that string might have come from a malicious macro, an obfuscated dropper or a command and control beacon. Decoding it immediately tells the analyst what the attacker intended to execute. That information drives the next steps of the investigation including scoping the impact, identifying the target and determining whether the command was successfully run.

Base64 also appears in network traffic, HTTP headers, JWT tokens and configuration files. Recognising it on sight and decoding it without hesitation is a skill that saves time across a wide range of investigation types.

Key Takeaway

Base64 is not encryption and it is not security. It is a reversible encoding scheme that attackers use to make malicious content less immediately readable. Recognising the format by its character set and trailing padding, and decoding it with a single command, is a skill that applies directly to phishing analysis, malware triage and log investigation. The faster an analyst can identify and reverse encoding schemes the faster they can read attacker intent and act on it.

📅 30-Day Cybersecurity Learning Journey — Progress

✅ Day 0. — Setup & Series Introduction. | OverTheWire Bandit

✅ Day 1. — Bandit Level 0 → 1. | SSH

✅ Day 2. — Bandit Level 1 → 2. | Special characters

✅ Day 3. — Bandit Level 2 → 3. | Spaces in filenames

✅ Day 4. — Bandit Level 3 → 4. | Hidden files

✅ Day 5. — Bandit Level 4 → 5. | File types

✅ Day 6. — Bandit Level 5 → 6. | find with properties

✅ Day 7. — Bandit Level 6 → 7. | find across filesystem

✅ Day 8. — Bandit Level 7 → 8. | grep

✅ Day 9. — Bandit Level 8 → 9. | sort and uniq

✅ Day 10 — Bandit Level 9 → 10. | strings and grep

✅ Day 11 — Bandit Level 10 → 11. | base64. ← today

⬜ Day 12 — Bandit Level 11 → 12. | coming next

Follow along with the series as I document each level, command and lesson learned.

Encoding hides intent from the casual observer. One command is all it takes to read exactly what the attacker wrote.