Access the room: https://tryhackme.com/room/attacks-on-ecrypted-files-aoc2025-asdfghj123
.png "tryhackme")
With time between Easter and Christmas being destabilized, the once-quiet systems of The Best Festival Company began showing traces of encrypted data buried deep within their servers. Sir Carrotbane, stumbled upon a series of locked PDF and ZIP files labelled “North Pole Asset List.” Rumours spread that these could contain fragments of Santa’s master gift registry, critical information that could help Malhare control the festive balance between both worlds.
Sir Carrotbane sets out to crack the encryption, learning how weak passwords can expose even the most guarded secrets. Can the Elves adapt fast and prevent their secrets from being discovered?
Learning Objectives
- How password-based encryption protects files such as PDFs and ZIP archives.
- Why weak passwords make encrypted files vulnerable.
- How attackers use dictionary and brute-force attacks to recover passwords.
- A hands-on exercise: cracking the password of an encrypted file to reveal its contents.
- The importance of using strong, complex passwords to defend against these attacks.
A few simple points to remember:
- The strength of protection depends almost entirely on the password. Short or common passwords can be guessed; long, random passwords are far harder to break.
- Different file formats use different algorithms and key derivation methods. For example, PDF encryption and ZIP encryption differ in details (how the key is derived, salt use, number of hash iterations). That affects how easy or hard cracking is.
- Many consumer tools still support legacy or weak modes (particularly older ZIP encryption). That makes some encrypted archives much easier to attack than modern, well-implemented schemes.
- Encryption protects data confidentiality only. It does not prevent someone with access to the encrypted file from trying to guess the password offline.
To make it simple, encryption makes the contents unreadable unless the correct password is known. If the password is weak, an attacker can simply try likely passwords until one works.
Step-by-Step Walkthrough
Initial Setup
Start the target machine and connect to it.
Access the Desktop directory on the machine where the encrypted files are located
Confirming File Types
We will use the file command to determine the type of each encrypted file.
file flag.pdf
file flag.zip
This step will help up in selecting the appropriate tools for cracking the passwords.
Choosing the Right Tools
For PDF files, use tools like pdfcrack or john (via pdf2john).
For ZIP files, use tools like fcrackzip or john (via zip2john).
General tools like john and hashcat are also effective for various file types and offer GPU acceleration for faster cracking.
Attempting Dictionary Attacks
Start with a dictionary attack using a common wordlist such as rockyou.txt:
pdfcrack -f flag.pdf -w /usr/share/wordlists/rockyou.txt
Now we are going to crack the password using John:
First, we have to create a hash that John can understand:
zip2john flag.zip > ziphash.txt
Now we will perform our dictionary attack:
john --wordlist=/usr/share/wordlists/rockyou.txt ziphash.txt
flag.pdf -> Pass: naughtylist
flag.zip -> Pass: winter4ever
We’ve finally found the password for both the PDF and the ZIP file!
Retrieving the Flags
Open the decrypted PDF and ZIP files to find the hidden flags.
PDF:
ZIP:
Finally, we found our flags!!!
Answers of the THM Lab
What is the flag inside the encrypted PDF?
THM{Cr4ck1ng_PDFs_1s_34$y}What is the flag inside the encrypted zip file?
THM{Cr4ck1n6_z1p$_1s_34$yyyy}