This challenge unsurprisingly provides a `challenge.zip`. `johntheripper` and `rockyou` produced the first password.


Which extracted `alittlemore.zip`. This was cracked in the same manner, but with a different wordlist of unknown origin, to produce the next password.


What turned out to be the final archive, `flag.zip`, was more resistant to wordlists and simple brute forcing. Eventually I became curious about the contents, and searching for `pkzip.ps.gz` revealed that it was a part of `pkcrack`, a zip cracking utility that requires a known plaintext file be present in the encrypted archive. Since `pkzip.ps.gz` is included in the encrypted `flag.zip`, and available unencrypted from `pkcrack` itself, I had everything I needed for the final step.

In preparation for running `pkcrack` I downloaded `pkzip.ps.gz` and zipped it up in a new unencrypted zipfile, making sure the compression mode matched afterwards with `unzip -v flag.zip` and `unzip -v new.zip`.

$ zip new.zip pkzip.ps.gz

$ unzip -v flag.zip
Archive: flag.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
74841 Defl:N 74321 1% 09-01-2022 19:05 11958b6d KP/pkzip.ps.gz
42 Stored 42 0% 08-29-2022 15:26 5dd7a68f flag/flag.txt
-------- ------- --- -------
74883 74363 1% 2 files

$ unzip -v new.zip
Archive: new.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
74841 Defl:N 74321 1% 09-27-2022 16:07 11958b6d pkzip.ps.gz
-------- ------- --- -------
74841 74321 1% 1 file

Then `pkcrack` decrypted the contents of `flag.zip`.

$ pkcrack -C flag.zip -c KP/pkzip.ps.gz -P new.zip -p pkzip.ps.gz

The flag was revealed.


Original writeup (https://nullcasa.github.io/ctf-metared-stage1-2022/).