I had a .zip file that was apparently encrypted with AES-256 deflate.
7z l -slt archive.zip | grep Method
Method = AES-256 Deflate
Then I used zip2john to get a "hash" out of it:
archive.zip/archive/flag.pdf:$zip2$*0*3*0*5e6874b2503c8250b2a618543de2a650*bf56*28*cc4ffaa12a7b647a26a362049842f670145c797ed7e46aad1bede1fdd0a38c381bd5145d506580d8*bb716f7901735f090566*$/zip2$:archive/flag.pdf:archive.zip:archive.zip
I then used john and managed to crack it, but I'm not happy.
I want to understand a few things, first of all how do I make sense of the output of the zip2john command I know this is not "just" a hash, what are all those other field separated by ":" and "*"?
Regarding AES, am I right that the password we provide is used by a KDF to then generate the actual key? If that's the case is this weak password the reason john was able to crack this?
