[Nullcon HackIM 2014] Forensics 2 Writeup

Points: 200

Description: There was a zip file on the desktop. I can’t remember the password for it.

We saw a zip file named: “null password.zip” on the desktop. When opened, there are 2 files which are encrypted. So it was clear that we needed to crack the zip.

First we looked at some hints from the challenge creator ;)

#Hint for FOR2 "User was too dumb to store the password in the protected zip file itself" #HackIM #ForensicChallenge @nullcon @null0x00

— Prince Komal Boonlia (@boonlia) January 25, 2014

#Hint for FOR2 "Why would someone put two files if it could have been done with one file" #HackIM #ForensicChallenge @nullcon @null0x00

— Prince Komal Boonlia (@boonlia) January 25, 2014

So, Beard-0 looked at a freshly booted VM of the image (since I was lazy + forgot to save the initial snapshot and was already working on another Forensic challenge) and looked at the Temp folder in AppData/Local, there he found a folder name Rar$DI99.160 inside which had one of the file “Null final1.pdf”. From this we looked at known attacks on zip files and found https://en.wikipedia.org/wiki/Known-plaintext_attack

We zipped the “Null final1.pdf” into a zip. Installed the evaluation edition of Ultimate Zip Cracker - http://download.cnet.com/Ultimate-ZIP-Cracker/3000-2092_4-10040839.html

 Selected the “Plaintext attack” recovery method.

Chose the “Null final1.pdf” zip file as plaintext file.

And finally we had the unzip’d archive.