:::info Last tested Kali Linux 2025.4 · HexStrike AI (Kali package 2025.4 repo) · May 2026. Results may vary on other versions. :::
AI-Driven ZIP Password Recovery with HexStrike-AI and Gemini-CLI
From Encrypted Archive to Flag Using LLM-Orchestrated Tooling
AI-Driven ZIP Password Recovery with HexStrike-AI and Gemini-CLI
From Encrypted Archive to Flag Using LLM-Orchestrated Tooling
Overview
This guide demonstrates how HexStrike-AI , orchestrated through Gemini-CLI , can autonomously solve a common security / CTF task:
Recover the contents of an encrypted ZIP archive using a known password dictionary.
What makes this workflow different is not the tools themselves — but how the AI reasons, pivots, and adapts when something fails.
This is a fully authorized, local lab scenario.
Scenario
Objective
- Open an encrypted ZIP file
- Recover the password using a provided wordlist
- Extract the contents and retrieve the flag
Inputs
- Encrypted ZIP:
/path/to/secret_file.zip - Password dictionary:
/path/to/wordlist.txt
Tooling (via HexStrike-AI)
zip2johnjohnunzip7z- Standard Linux utilities
Step-by-Step Execution Flow
1. Task initiation (LLM-driven)
The user provides a single high-level prompt :
Open encrypted zip file and find the flag using the provided password list.
No commands.
No tool selection.
No manual troubleshooting.
2. Tool discovery & preparation
HexStrike-AI:
- Determines that ZIP cracking requires hash extraction
- Locates
zip2johnautomatically - Verifies tool availability on the system
Key point:
The AI does environment discovery before acting.
3. ZIP hash extraction
Initial attempts fail due to incorrect paths.
HexStrike-AI:
- Enumerates
/home - Identifies the correct user (
andrey) - Locates:
/path/to/secret_file.zip
Then successfully extracts the ZIP hash:
zip2john secret_file.zip > zip_hash.txt
4. Offline password cracking
HexStrike-AI selects the correct cracking strategy:
-
Offline attack (safe, fast, no lockouts)
-
Uses
johnwith the provided wordlistjohn --wordlist=passwords_list.txt zip_hash.txt
Result
Password found: Israel123
5. First extraction attempt (failure handling)
The AI attempts:
unzip -P Israel123 secret_file.zip
Failure occurs:
- Unsupported compression method (AES / method 99)
Critical behavior:
HexStrike-AI does not stop and does not guess.
6. Adaptive pivot (tool switching)
HexStrike-AI:
-
Recognizes AES-encrypted ZIP
-
Checks for alternative tooling
-
Detects
7zis available -
Switches extraction method automatically
7z x -pIsrael123 secret_file.zip
Extraction succeeds.
7. Flag retrieval
Final step:
cat secret_file.txt
Flag recovered
Your Flag
Final Result
ItemValueZIP PasswordIsrael123EncryptionZIP AESFlagYour FlagAttack TypeOffline dictionaryInteractionSingle promptManual interventionNone
Why This Matters
This is not about cracking ZIP files.
This example demonstrates how AI-driven execution changes security workflows :
What HexStrike-AI did autonomously
- Identified the correct attack class
- Located missing files
- Corrected user errors
- Selected appropriate tools
- Pivoted when a tool failed
- Completed the objective end-to-end
What the user did
- Defined scope
- Provided a wordlist
- Issued one prompt
Key Takeaways
- AI is not “running tools blindly”
- It performs reasoned decision-making
- Failures are treated as signals, not blockers
- Tool chaining is dynamic, not scripted
- This mirrors how a real junior pentester / analyst works — at machine speed
Defensive Perspective
From a blue-team standpoint, this highlights why:
- Weak passwords remain dangerous even with “strong” encryption
- Offline attacks bypass rate limits entirely
- Password reuse and leaked wordlists are critical risks
Conclusion
This lab shows how HexStrike-AI + Gemini-CLI can execute a complete security task:
From problem definition → tool discovery → exploitation → validation → result
All driven by one prompt.
This is not automation replacing expertise.
It is expertise amplified.
By Andrey Pautov on December 25, 2025.
Exported from Medium on May 15, 2026.