Advent of Cyber-DAY 9

๐ŸŽ„ Cracking Encrypted Files

A Festive Cybersecurity Adventure

Introduction

Between Easter and Christmas, something unusual began unfolding at The Best Festival Company (TBFC). Systems that were once quiet started revealing traces of encrypted data hidden deep within internal servers.

Sir Carrotbane, the company’s vigilant security officer, discovered a collection of locked PDF and ZIP files labeled “North Pole Asset List.” These files were suspected to contain sensitive operational data — information that, if exposed, could disrupt festive operations entirely.

This investigation demonstrates a crucial cybersecurity lesson: encryption alone is not enough if passwords are weak.

๐ŸŽฏ Learning Objectives

By the end of this exercise, you’ll understand:

  • How password-based encryption works in common file formats

  • Why weak passwords undermine strong encryption algorithms

  • How attackers recover passwords using guessing techniques

  • How defenders can detect and respond to password-cracking activity

  • Best practices for protecting encrypted data

๐Ÿ” Encryption & Password Security — Key Takeaways

  • Encryption strength depends heavily on password complexity

  • Short or predictable passwords are vulnerable to guessing

  • Different file formats use different encryption implementations

  • Encryption protects data confidentiality, not access attempts

  • Offline attacks cannot be rate-limited by servers

⚔️ Attacks Against Encrypted Files

How Weak Passwords Are Recovered

Rather than breaking encryption directly, attackers focus on password recovery using systematic guessing techniques.

1️⃣ Dictionary Attacks

Dictionary attacks rely on predefined wordlists that include:

  • Leaked passwords from past breaches

  • Common words and phrases

  • Predictable substitutions (e.g., password123)

Because many users reuse simple passwords, dictionary attacks are often highly effective.

2️⃣ Mask & Brute-Force Attacks

Brute-force attacks try every possible character combination, which guarantees success but can be slow.

Mask attacks optimize this process by limiting guesses to a known pattern.
Example:

?l?l?l?d?d

This attempts three lowercase letters followed by two digits — far faster than full brute force.

Common attacker strategies defenders should know:

  • Start with popular wordlists (e.g., rockyou.txt)

  • Use organization-specific wordlists if possible

  • Apply masks when password patterns are known

  • Leverage GPU acceleration

  • Monitor system resource usage

๐Ÿงช Practical Exercise Overview

Encrypted files are located in the system’s Desktop directory.

File Identification

file flag.pdf
file flag.zip

Common Tools Used

  • PDF: pdfcrack, john

  • ZIP: fcrackzip, john

  • General: john, hashcat

๐Ÿ”“ Password Recovery Results

Encrypted PDF

Recovered password:

THM{Cr4ck1ng_PDFs_1s_34$y}

Encrypted ZIP

Recovered password:

THM{Cr4ck1n6_z1p$_1s_34$yyyy}

These results reinforce how weak passwords negate encryption protections.

๐Ÿ•ต️ Detection & Monitoring

Even though password cracking is an offline activity, it still leaves evidence.

Common Indicators

  • Execution of tools such as john, hashcat, pdfcrack

  • Command-line arguments referencing wordlists

  • High CPU or GPU usage

  • Frequent file reads of encrypted archives

Defensive Monitoring Ideas

  • Windows Sysmon: process creation & command-line logging

  • Linux auditd: execution of cracking tools

  • Endpoint monitoring for abnormal resource usage

๐Ÿšจ Incident Response Playbook

When unauthorized password-cracking activity is detected:

  1. Isolate the affected system

  2. Capture volatile data (processes, memory, GPU usage)

  3. Preserve wordlists, hashes, and shell history

  4. Review decrypted data for exposure risks

  5. Rotate affected credentials

  6. Enforce strong password policies and MFA

  7. Educate staff on proper tool usage

๐Ÿ Flags from the Exercise

  • Encrypted PDF:
    THM{Cr4ck1ng_PDFs_1s_34$y}

  • Encrypted ZIP:
    THM{Cr4ck1n6_z1p$_1s_34$yyyy}

๐ŸŽ Conclusion

This challenge clearly demonstrates a fundamental truth in cybersecurity:

Encryption is only as strong as the password protecting it.

Weak passwords can be cracked quickly, exposing sensitive data even when strong encryption algorithms are used. Defenders must combine strong password policies, monitoring, and user education to protect encrypted assets effectively.

๐Ÿš€ Further Learning

To deepen your understanding, explore:

  • Password Attacks room on TryHackMe

  • Credential Access techniques

  • Endpoint Detection & Response (EDR) strategies

Comments

Post a Comment

Popular Posts