ZIP Files

• zip2john

  Brute force password protected zip files.

  zip2john protected.zip > protected.john
  john --wordlist=/usr/share/wordlists/rockyou.txt protected.john

• bkcrack - GitHub

  Crack ZipCrypto Store files. Need some plaintext (~9bytes) to work.

  Usage:

  bkcrack -L encrypted.zip # List all files in the zip
  bkcrack -C encrypted.zip -c zipped_file.png -p plain.png # Crack the zip when "store" method is used
  bkcrcak -C encrypted.zip -c zipped_file.png -k key -D out.zip # Decipher the zip with the key

  See File signatures to generate the first 9 bytes of the file.
  You can use echo -n -e "\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR" > plain.png to generate the signature of a PNG file.

  • File Scanning

• Reading the specifications

  Reading the specification of image format are sometimes the only way to fix a corrupted ZIP. A summary of this specification can be found on GitHub

• Malicious archive with a symlink (path traversal)

  tar and zip archives can store symlinks. A server that extracts an uploaded archive without sanitizing entry names or symlink targets can be tricked into reading or overwriting files outside the extraction directory.

  For example, an entry that is a symlink to ../../app/templates/index.html (or /etc/passwd, or the flag) lets you overwrite a server-side template (see Server-Side Template Injection) or read an arbitrary file once the extracted “file” is served back. This is a symlink variant of the classic Zip Slip path traversal.

  Build such an archive with:

  ln -s ../../app/templates/index.html evil
  tar -cvf payload.tar evil           # tar preserves the symlink
  zip --symlinks payload.zip evil     # zip needs --symlinks to store it as a link
  • Server-Side Template Injection