[Nullcon HackIM 2014] Forensics 2 Writeup

Points: 200

Description: There was a zip file on the desktop. I can’t remember the password for it.

We saw a zip file named: “null password.zip” on the desktop. When opened, there are 2 files which are encrypted. So it was clear that we needed to crack the zip.

First we looked at some hints from the challenge creator ;)

So, Beard-0 looked at a freshly booted VM of the image (since I was lazy + forgot to save the initial snapshot and was already working on another Forensic challenge) and looked at the Temp folder in AppData/Local, there he found a folder name Rar$DI99.160 inside which had one of the file “Null final1.pdf”. From this we looked at known attacks on zip files and found https://en.wikipedia.org/wiki/Known-plaintext_attack

We zipped the “Null final1.pdf” into a zip. Installed the evaluation edition of Ultimate Zip Cracker - http://download.cnet.com/Ultimate-ZIP-Cracker/3000-2092_4-10040839.html

 Selected the “Plaintext attack” recovery method.

Chose the “Null final1.pdf” zip file as plaintext file.

And finally we had the unzip’d archive.

Maverick Kaung
Maverick Kaung
IT Security Enthusiast

Ye Myat “Maverick” Kaung is a highly motivated individual with a passion for security and open source software. Also an aspiring hacker and software engineer.