Level 28 - Do you have a password

http://suninatas.com/challenge/web28/web28.asp

Every file is encrypted

Encryption method is ZipCrypto Deflate which is known to be vulnerable to crib attacks via bkcrack

└─$ 7z l -slt So_Simple.zip | grep -i -e 'Method' -e 'Encrypted'
Encrypted = +
Method = ZipCrypto Deflate
Encrypted = +
Method = ZipCrypto Deflate
Encrypted = +
Method = ZipCrypto Deflate

We can recover zip with this method, but not other txt files.

bkcrack was introduced in 2020, challenge is from 2013 so there must be simpler way.

The structure of a PKZip file by Florian Buchholz

└─$ xxd So_Simple.zip | head -1
00000000: 504b 0304 1400 0908 0800 fd78 5543 2313  PK.........xUC#.

└─$ xxd t.zip | head -1
00000000: 504b 0304 1400 0000 0800 482e db5a e687  PK........H..Z..

In given file the flags byte is 0908:

Bit

Meaning

Value

Explanation

File is encrypted

✅ 1

Encrypted (uses ZipCrypto)

Compression option bit 1

❌ 0

Not set

Compression option bit 2

❌ 0

Not set

Data descriptor present

❌ 0

CRC/size stored in central directory

Enhanced deflation

❌ 0

Not used

Compressed patched data

❌ 0

Not used

Strong encryption

❌ 0

❌ Not AES (this would be set for AES)

Unused

✅ 1

Just reserved (likely benign)

8-10

Unused

❌ 0

Not set

UTF-8 file names

✅ 1

Filename is stored in UTF-8

Reserved

❌ 0

Not set

Mask header values

❌ 0

Not set

14-15

Reserved

❌ 0

Not set

Changing the bytes to 0000 removes the encryption

If you open file with Windows Zip explorer it doesn't work, however 7z was able to open the zip inside, but not key2

The ZIP file was marked as encrypted using ZipCrypto, indicated by bit 0 of the general purpose bit flag (0x0809). By flipping this flag to 0x0000 in a hex editor, we disabled the encryption flag, tricking unzip tools into extracting the raw (still encrypted) data without prompting for a password.

Flag: dGE1dHlfSDR6M2xudXRfY29mZmVl

PreviousLevel 26 - Cipher III NextLevel 29 - Brothers

Last updated 7 months ago