Kick31.zip

#!/usr/bin/env python3 import hashlib import itertools import string

kick31.zip:$pkzip2$*0*1*2*10*...*e0e9c... A standard wordlist ( rockyou.txt ) plus a small custom rule set usually does the job. kick31.zip

bool check_key(char *input) const uint8_t secret[] = 0x7a, 0x3d, 0x5e, 0x1f, 0x9a, 0xb8, 0xc4, 0x02, 0x6d, 0x55, 0x0a, 0xf1, 0x33, 0x7c, 0x8e, 0xe2 ; uint8_t derived[16]; md5((uint8_t*)input, strlen(input), derived); // simple MD5 hash return memcmp(derived, secret, 16) == 0; Inside the archive there is a single file named kick31

# Brute‑force short printable strings (1‑6 chars) charset = string.printable.strip() # remove whitespace for length in range(1, 7): for candidate in itertools.product(charset, repeat=length): s = ''.join(candidate) if hashlib.md5(s.encode()).digest() == target: print("[+] Found key:", s) raise SystemExit Running the script yields: // simple MD5 hash return memcmp(derived

Challenge category: Reverse Engineering / Forensics Difficulty: Medium Points: 250 (typical) The file kick31.zip is a password‑protected ZIP archive. Inside the archive there is a single file named kick31.bin . The goal is to retrieve the flag hidden somewhere in the binary.

$ john --wordlist=rockyou.txt kick31.hash After a few seconds John reports:

The program expects the MD5 hash of the entered key to equal a hard‑coded 16‑byte constant. 4.4 Recover the expected key We need a string whose MD5 digest matches the secret array. Compute the digest of candidate strings until we find a match.