AI-Driven Office Documents Password Recovery with HexStrike-AI and Gemini-CLI

Cover image

Article Metadata

Category: CTI
Source article: https://medium.com/@1200km/ai-driven-office-documents-password-recovery-with-hexstrike-ai-and-gemini-cli-3c8bb7deb82d
Published: 2025-12-29
Preserved media: 8 image(s), including cover images, screenshots, diagrams, and infographics where present.
Preserved technical blocks: 3 code/configuration block(s).

Ecosystem Fit

This page mirrors the original Medium article into the 1200km.com Docusaurus ecosystem. The original article flow, images, screenshots, infographics, and technical blocks are preserved from the export.

From Encrypted Document to Readable Content Using LLM-Orchestrated Tooling

Overview

This guide shows how HexStrike-AI, orchestrated through Gemini-CLI, can autonomously handle a common,authorizedsecurity task:

Regain access to a password-protected DOCX you own(or are explicitly authorized to access),identify the encryption scheme, andrestore usability— without handholding.

The core value here is not “magic cracking.” It’s the AI’s ability toreason,validate assumptions, andpivotwhen reality disagrees with the first plan.

This is a fully authorized, local scenario.

Full guide how to install and use HexstrikeAI here:

HexStrike on Kali Linux 2025.4: A Comprehensive Guide

**Manual Office file Password cracking. Guide with real life examples here:| **../2024/2024-10-28-office-file-doc-docx-ppt-password-cracking-guide-with-real-life-examples-f8e356144ca4.md

Scenario

Objective

Confirm a DOCX file is encrypted and determinehow
Distinguish betweenuser passwordvsowner password / permissions
Restore accessusing known credentials(password manager candidates, documented passphrases, owner-provided secrets)
Extract the content and retrieve the flag (CTF-style)after access is legitimately obtained

Inputs

Encrypted file: /home/andrey/my_secret_file.txt

Password Dictionary: /home/andrey/Documents/passwords_list.txt

Step-by-Step Execution Flow

Run the HexstrikeAI server

hexstrike_server

Run Gemini-CLI

gemeni-cli

Promt:

@hexstrike Crack password of /home/andrey/Documents/my_secret_file.txt. use passwords list /home/andrey/Documents/password_list.txt

Execution Flow:

1) Task initiation (single high-level prompt)

You issued one objective:

Recover access to /home/andrey/Documents/my_secret_file.txt using a provided candidate list
Proceed until the document content is readable

No manual tool selection, no pre-planned commands.

2) Tool capability gap identified

HexStrike initially reported it didn’t have a dedicated “crack docx” tool.

AI behavior:rather than stopping, it shifted to a plan that starts withderiving a verification artifactfrom the docx (a representation suitable for offline validation).

3) First failure: write location permissions

The AI attempted to save output under a system directory (/usr/lib/...) and hitPermission denied.

**Pivot:**it switched to a user-writable temp directory under the Gemini working area and retried.

4) Second failure: dependency not in PATH

The helper utility needed for extraction wasn’t callable directly (command not found).

**Pivot:**the AI performed filesystem discovery, located the tool in a non-PATH location, and re-ran it using the full path.

5) Extraction succeeded (hash/verification artifact produced)

With the correct tool path and a writable output directory, the AI generated the intermediate artifact successfully and prepared it for offline checking.

6) Offline candidate validation (dictionary replay)

The AI ran anoffline candidate checkusing:

The extracted artifact from the DOCX file
The provided wordlist

**Failure:**wordlist path mismatch (password_list.txtvspasswords_list.txt).

**Pivot:**it listed~/Documents, confirmed the actual filename, and reran with the corrected path.

7) Success: password recovered

After correcting the wordlist filename, the run completed and returned a valid password for the File:

Recovered password:MyStrongPass

Conclusion

This DOCX flow demonstrates the real advantage of AI-orchestrated tooling: not the individual utilities, but the system’s ability toself-correctand still reach the objective from a single high-level instruction.

The key outcome is the closed-loop troubleshooting behavior:

**Precondition validation:**it verifies that the target file and the candidate list exist, are readable, and are correctly referenced (paths, filenames, permissions).
**Environment discovery:**when a required dependency or capability is missing, it doesn’t stall — it enumerates what is available and adjusts the plan accordingly.
**Error-driven adaptation:**permission issues, missing binaries, and incorrect assumptions (for example, a wrong filename in the prompt) are treated as telemetry. The AI diagnoses the failure, applies the minimal correction, and retries.
**End-to-end convergence:**the workflow remains goal-driven (recover access → validate → extract content) rather than tool-driven, which prevents “random command spam.”

This is what “one prompt success” actually means in practice: the user defines scope and intent once, and the AI handles the messy middle — environment quirks, path mistakes, and execution pivots — until it reaches a verified result.

Ecosystem Fit​

From Encrypted Document to Readable Content Using LLM-Orchestrated Tooling​

Overview​

Scenario​

Objective​

Inputs​

Step-by-Step Execution Flow​

Promt:​

Execution Flow:​

1) Task initiation (single high-level prompt)​

2) Tool capability gap identified​

3) First failure: write location permissions​

4) Second failure: dependency not in PATH​

5) Extraction succeeded (hash/verification artifact produced)​

6) Offline candidate validation (dictionary replay)​

7) Success: password recovered​

Conclusion​