Unfinished File
tjctf
Task: analyze a Chrome .crdownload incomplete download file containing embedded data. Solution: extract embedded ZIP archive, recover XOR-encrypted flag using known-plaintext attack with flag prefix.
$ ls tags/ techniques/
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Unfinished File — TJCTF 2026
Description
"my stupid friend tried downloading this file before i shut my laptop down, what was he trying to do?"
Attachment: secret_archive.zip.crdownload (463 bytes) — a Chrome incomplete download file.
Analysis
The .crdownload extension is Chrome's format for incomplete downloads. At only 463 bytes, this file is small enough for manual binary analysis.
Examining the file structure revealed three distinct regions:
- CRDL header (offset
0x00): Magic bytesCRDL, version info, and the source URLhttps://example.com/secret_archive.zip - XOR-encrypted blob (offset
0x47): Encoded data with preceding control characters - Embedded ZIP archive (offset
0x100): StandardPKsignature (ZIP magic bytes)
The embedded ZIP contained two files:
readme.txt— decoy text: "This file is incomplete. Keep looking..."hidden/.flagdata— 47 bytes of XOR-encrypted data
The .flagdata hex content:
36 28 21 36 24 39 2c 71 34 71 30 1d 2e 71 36 1d
72 36 2a 27 30 1d 32 71 72 32 2e 27 1d 36 72 37
21 2a 1d 37 30 1d 21 72 2f 32 37 36 27 30 3f
Solution
Known-plaintext attack on single-byte XOR
The flag format tjctf{ provides 6 known plaintext bytes. XORing the first encrypted byte with the expected plaintext reveals the key:
0x36 ^ 0x74 ('t') = 0x42 ('B')
Verifying against all 6 prefix bytes:
...
$ grep --similar
Similar writeups
- [forensics][free]Invisible Ink— tjctf
- [forensics][free]Obscure Crusher 1— tjctf
- [forensics][Pro]Странный ZIP-архив (Strange ZIP Archive)— hackerlab
- [forensics][Pro]SQLite— hackerlab
- [forensics][Pro]Baby Exfil— uoftctf2026