DeconstruCT.F 2023 - Hash Roll

Description

Category: Forensics

Augustine’s friend took a important file of augustine and stashed it. He was able to grab all the files from his friend’s machine but he is worried that the files are encrypted. Help him get the file back

Attachments:

• encrypted1.zip
• nothing.pdf

Hint

Rule 3 does not apply here. Bruteforce is allowed.

Resolution

As the name implies encrypted1.zip is encrypted.

We can bruteforce the password using John the Ripper:

1. we convert the zip to a hash so that john can crack it:

   $ ./zip2john encrypted1.zip > hash
   

2. we crack the password using dictionary attack with rockyou.txt:

   $ john hash --wordlist=rockyou.txt
   Warning: detected hash type "ZIP", but the string is also recognized as "ZIP-opencl"
   Use the "--format=ZIP-opencl" option to force loading these as that type instead
   Using default input encoding: UTF-8
   Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
   Cost 1 (HMAC size) is 143716 for all loaded hashes
   Will run 8 OpenMP threads
   Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
   diosesamor       (encrypted1.zip/flag.jpg)     
   1g 0:00:00:00 DONE (2023-08-05 11:27) 1.960g/s 32125p/s 32125c/s 32125C/s 123456..christal
   Use the "--show" option to display all of the cracked passwords reliably
   Session completed.
   

Now we have the password, we can decrypt encrypted1.zip and open flag.jpg:

And we get the flag: dsc{N3v3r_9OnNA_gIv3_y0u_up}.