Skip to main content
HashnodeBreaking Into Pentesting

Command Palette

Search for a command to run...

Day 9: Cracking the North Pole Asset List

Published
2 min read
Z
ZeroTrust Ops

The Mission: Sir Carrotbane’s Cryptic Find

While the systems in Wareville were destabilised, Sir Carrotbane discovered a series of locked PDF and ZIP files deep within the servers. These files are rumoured to contain fragments of Santa's master gift registry. My task was to step in, crack the encryption, and demonstrate how weak passwords leave even the most sensitive "SOC-mas" secrets vulnerable.

Core Concepts: Dictionary vs. Mask Attacks

Encryption protects data confidentiality, but it doesn't stop an attacker with the file from attempting to guess the password offline. I utilised two primary methods to bypass these locks:

Dictionary Attacks: Using a predefined wordlist, such as the famous rockyou.txt, the cracker tests thousands of common passwords until a match is found.

Brute-force & Mask Attacks: Brute-force tries every possible character combination, which is thorough but slow. A mask attack is more efficient, narrowing the search to a specific pattern (e.g., three lowercase letters followed by two digits, or ?l?l?l?d?d).

The Technical Breakdown: Tools of the Trade

To clear this level, I followed a precise technical pipeline:

1. Identification: First, I used the file command to confirm the file types, as PDF and ZIP files require different cracking algorithms.

2. PDF Cracking: For the PDF, I used pdfcrack against the rockyou.txt wordlist. This tool derives the potential encryption key from the wordlist to decrypt the file's internal values.

Flag Captured: THM{Cr4ck1ng_PDFs_1s_34$y}

3. The ZIP Pipeline: Since John the Ripper (John) cannot crack ZIP files directly, I first used zip2john to extract the encrypted "hash" into a format John could read. I then ran the dictionary attack on that hash.

Flag Captured: THM{Cr4ck1n6_z1p$_1s_34$yyyy}

Defensive Insights: Detecting the Cracker

A true security professional doesn't just know how to attack; they know how to detect. Even though offline cracking stays quiet on login services, it leaves heavy footprints on the endpoint:

Resource Spikes: Password cracking is CPU and GPU intensive. Sudden, steady high GPU utilisation or fan spikes can signal an ongoing attack.

Network Hints: Watch for the download of massive wordlists like rockyou.txt or the installation of tools like john and hashcat.

Process Creation: Monitoring command-line traits for flags like --wordlist or --mask is a highly effective detection strategy.

--------------------------------------------------------------------------------------------------------------
Analogy for Password Cracking: Think of an encrypted file like a high-security safe. A dictionary attack is like having a list of the 10,000 most common combinations people use and trying them one by one. A mask attack is like knowing the owner always uses their children's initials followed by their birth year—you don't know the exact code, but you've ignored millions of useless combinations, making you much faster at cracking the lock.

#passwordcracking#cybersecurity-ethicalhacking-johntheripper-passwordcracking-pentesting-bruteforce-ctf-redteam-hackingtools-infosec#john-the-ripper#ethical-hacking

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Breaking Into Pentesting

24 posts

From zero to junior penetration tester – documenting my daily journey into offensive security.