Infinite Loop
This challenge starts off with a zip file which off course needs to be unzipped with the password hackthebox
When unzipped I get another zip file. No special thing about it and it looks like this part consist of brute forcing.
After a few tries with a wordlist and not being successful I decided to write a script to create a numerical list and try to brute force the file.
#!/bin/bash
created by n0w4n
# creating numerical list
echo "[-] Creating a numerical list for bruteforcing"
crunch 1 6 1234567890 -o num.list &>/dev/null
# running fcrackzip as long if needed
echo "[-] Running fcrackzip trying the numerical list"
while [[ true ]]; do
file=$(ls | grep zip)
fcrackzip -u -D -p num.list $file > result
pwd=$(cat result | tr -d '\n' | awk '{print $5}')
result=$(cat result | tr -d '\n' | grep FOUND)
if [[ -z $result ]]; then
echo "No password found in file $file"
break 2
else
echo "Password found in file $file == $pwd"
unzip -q -P "$pwd" "$file"
rm $file
fi
done
# cleaning up
rm -f result num.list
It runs just nicely and after not to long it stops because it can’t find any password.
root@kali:~/Downloads/Eternal_Loop# ./brute.sh [-] Creating a numerical list for bruteforcing [-] Running fcrackzip trying the numerical list Password found in file 37366.zip == 5900 Password found in file 5900.zip == 49805 Password found in file 49805.zip == 13811 ...[SNIP]... Password found in file 10595.zip == 27833 Password found in file 27833.zip == 6969 [-] No password found in file 6969.zip
Let’s try fcrackzip again, but with a wordlist.
root@kali:~/Downloads/Eternal_Loop# fcrackzip -v -u -D -p '/usr/share/wordlists/rockyou.txt' 6969.zip found file 'DoNotTouch', (size cp/uc 335181/884736, flags 9, chk 5b04) PASSWORD FOUND!!!!: pw == letmeinplease
Success.
root@kali:~/Downloads/Eternal_Loop# unzip 6969.zip Archive: 6969.zip [6969.zip] DoNotTouch password: inflating: DoNotTouch root@kali:~/Downloads/Eternal_Loop# ls 6969.zip crack.sh DoNotTouch root@kali:~/Downloads/Eternal_Loop# file DoNotTouch DoNotTouch: SQLite 3.x database, last written using SQLite version 3021000
A SQLite database. Kali has a nice browser installed for viewing these kinds of files: sqlitebrowser
After some searching I find the hash amidst the noise.
Not really that hard. A fun challenge to do if you need to get the hang of basic scripting.
How did you !! crack 37366.zip file!! I am no able to crack it!!!Please help
The file is zipped with a numerical password……multiple times.
So there are 2 options, either you do the unzipping manually (which will take you forever) of you write or copy a script to do the work for you.
If you don’t already use a pentest OS (like Kali, ParrotSec or BlackArch), you should check it out.
They contain a lot of tools, which you can use for these kind of things.
In this case you need: fcrackzip and crunch
You shouldnt crack all the archives but use the name of n+1 archive as the archive n password. You must crack the last one (6969)