CTF Writeup: ZipCrypto Password Recovery with bkcrack

Challenge Overview

We obtained a password-protected ZIP archive named important.zip, which contains the following files:

• alien.svg
• important_document.pdf
• secret.txt

The objective is to decrypt the contents or recover the original password in order to access the flag hidden within one of these entries.

Step 1: Inspecting the Archive Structure

First, we enumerate the files inside the archive to understand its contents:

unzip -l important.zip

Output:

Archive:  important.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
      545  05-14-2025 02:31   alien.svg
    18810  05-14-2025 01:48   important_document.pdf
      354  05-15-2025 20:45   secret.txt
---------                     -------
    19709                     3 files

The file alien.svg stands out as the smallest and is a strong candidate for a known-plaintext attack.

Step 2: Selecting a Known Plaintext Target

This archive is encrypted using ZipCrypto, which is vulnerable to a known-plaintext attack. To proceed, we need a sequence of plaintext bytes that align with the beginning of an encrypted file.

Why choose alien.svg?

SVG files almost universally start with a standardized XML declaration:

<?xml version="1.0" encoding="UTF-8"?>

This predictable header makes alien.svg an excellent candidate for constructing known plaintext.

Step 3: Crafting plain.txt

To perform the attack, we need a plaintext file that contains a snippet matching the start of alien.svg. Since we do not have the original file, we generate the beginning manually based on known SVG/XML structure.

We include the first 13 bytes, which meets the requirement of at least 12 known bytes, with 8 contiguous.

echo -n '<?xml version="1.0" %' > plain.txt

Step 4: Launching the Attack with bkcrack

With the crafted plaintext in place, we invoke bkcrack to recover the internal encryption keys:

bkcrack -C important.zip -c alien.svg -p plain.txt

Output:

bkcrack 1.7.1 - 2024-12-21
[21:56:02] Z reduction using 13 bytes of known plaintext
100.0 % (13 / 13)
[21:56:03] Attack on 549123 Z values at index 6
Keys: aecfb215 d758b203 a40cae44
49.8 % (273379 / 549123)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 273379
[22:01:54] Keys
aecfb215 d758b203 a40cae44

At this stage, we have successfully recovered the internal keys used to encrypt the archive.

Step 5: Decrypting with Recovered Keys

With the internal keys in hand, we can now decrypt individual entries, such as secret.txt, without needing the original password:

bkcrack -C important.zip -c secret.txt -k aecfb215 d758b203 a40cae44 -d secret_decrypted.txt

Step 6: Repackaging with a New Password

To secure the archive again (or replace the password with one of our choosing), we can generate a new encrypted archive:

bkcrack -C important.zip -k aecfb215 d758b203 a40cae44 -U important_relocked.zip newpass2025