Skip to content

SECURE_CONNECTION//PRESS[CTRL+J]FOR ROOT ACCESS

BACK TO INTEL
MiscEasy

Yu Jin (Misc)

CTF writeup for Yu Jin (Misc) from Next Hunt

//Yu-jin (Misc)

>Challenge

Memory doesn’t care who owns it. Only how it was stored. Flag format: nexus{}.

>Files Provided

  • locked.zip (contains an encrypted secret.zip)

  • pls_dont_delete.zip (contains Windows SAM and SYSTEM hives)

>Quick Answer

Flag: nexus{1t_w45_4ll_ju5t_f0r_th15_l1n3}

>Tooling Used

  • Impacket secretsdump to confirm we could read the SAM/SYSTEM (not ultimately needed for the flag)

  • fcrackzip for wordlist ZIP attacks

  • bkcrack for ZipCrypto known-plaintext attack

  • rockyou.txt wordlist

>Solution Walkthrough

1) Inspect the archives

List the directory and unzip the obvious archive:

bash

unzip pls_dont_delete.zip

# produces SAM and SYSTEM

I ran impacket-secretsdump -sam SAM -system SYSTEM LOCAL to ensure the hives were valid; hashes dumped fine but did not directly yield the ZIP password.

locked.zip contained a single encrypted entry secret.zip with method ZipCrypto (no compression). Standard wordlist guessing with fcrackzip and rockyou failed, so I moved to a known-plaintext attack.

2) Use bkcrack to recover ZipCrypto keys

bkcrack can exploit any known plaintext inside the encrypted file. For a ZIP, the End Of Central Directory (EOCD) footer is predictable. I supplied the EOCD bytes for a 1-file archive as known plaintext:

bash

./bkcrack-1.5.0-Linux/bkcrack \

  -C locked.zip -c secret.zip \

  -x 208 504b05060000000001000100

Explanation:

  • -C locked.zip -c secret.zip: ciphertext from the encrypted entry

  • -x 208 ...: inject 4 bytes of known plaintext (PK\x05\x06 header) at offset 208 (EOCD start)

The attack recovered internal keys:

Keys: 3950cf44 d103d7ce 1404ee09

3) Decrypt secret.zip

With keys in hand, dump the decrypted entry:

bash

./bkcrack-1.5.0-Linux/bkcrack \

  -C locked.zip -c secret.zip \

  -k 3950cf44 d103d7ce 1404ee09 \

  -d secret.zip

Now secret.zip is accessible but still password-protected (nested ZIP).

4) Crack the inner zip password

Run fcrackzip against the decrypted secret.zip with rockyou.txt:

bash

fcrackzip -u -D -p rockyou.txt secret.zip

It found the password: (0n1y)=(you).

Unzip with that password:

bash

unzip -P '(0n1y)=(you)' secret.zip

This extracts flag.txt.

5) Get the flag

bash

cat flag.txt

# nexus{1t_w45_4ll_ju5t_f0r_th15_l1n3}

>Notes and Lessons

  • When ZipCrypto + wordlists fail, known-plaintext attacks (bkcrack) are extremely effective if you can guess ZIP structure bytes (local header, central directory, or EOCD).

  • Dumping SAM/SYSTEM confirmed the dump was valid but was a decoy for this challenge.

  • Always check for nested archives; inner layers may reuse weaker protection or be dictionary-crackable.