Writeups from challenges and CTFs i take part in.
This challenge is a follow up to the last one, zip 1. It tells us to brute-force an Microsoft Word file’s password. To access the .docx file you need to open the it2.zip file and insert the password we found earlier.
We now get a it2.docx file. Just like we did for zip 1, we’ll use john to turn the file into an hash:
office2john it2.docx > hash.txt
This time we won’t guess the password (we already have a hint: the password starts with kuld and is 7 characters long) but we’ll brute force it with hashcat starting from the original hint, kuld***.
To use hashcat in brute-force mode, we need to use the -a 3 flag. As we can see from the example hashes hashcat’s code for MS Office 2013 is 9600. Our command’s mask (the unknown part of the string) will be made of 4 characters. We’ll use different placeholders for different charsets:
?l lowercase (a-z)
?u uppercase (A-Z)
?d digits (0-9)
?s symbols
?a all
Let’s try lowercase alphabetical characters first:
hashcat -m 9600 hash.txt -a 3 kuld?l?l?l
We’ll get:
$office$*2013*100000*256*16*4fa274b82c7479757311707852c1d7de*b84fd3d4dd538a6484089051e92dff4f*95c194e063f98b8739e2115113b9f858449ac5e4c518ff2eca764d69391df8f9:kuldeep
This means that our password will be:
kuldeep