It is my Birthday (100 points)

SOLVED xNULL

I sent out 2 invitations to all of my friends for my birthday! I'll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn't believe how long it took me to find a collision. Anyway, see if you're invited by submitting 2 PDFs to my website. http://mercury.picoctf.net:55343/

The challenge provides a website where you are able to upload 2 files. I assume the challenge title is the hint we get for this challenge. This probably refers to a birthday attack . Also the challenge states that the site uses md5 which is known to be vulnerablte to collision attacks.

Tests

Uploading 2x the same file => Files are not different!
Uploading 2x different files => MD5 hashes do not match!
Uploading txt files => Not a PDF!

Assumption

  • The challenge requires me to upload 2 different files with the same MD5 hash

Exploit

After a quick Google-Fu on how to create a MD5 collision, I stumbled on this Github repo. They explain how a collision with a PDF works and provide 2 different PDFs with the same hash. Going the easy way I downloaded the 2 PDFs checked the hash and submitted them to the challenge form.

└─$ md5sum poeMD5_*
b347b04fac568905706c04f3ba4e221d  poeMD5_A.pdf
b347b04fac568905706c04f3ba4e221d  poeMD5_B.pdf
┌──(xnull㉿io)-[~/pico/birthday]
└─$ diff poeMD5_*
Binary files poeMD5_A.pdf and poeMD5_B.pdf differ

When uploading the files we get

<?php

if (isset($_POST["submit"])) {
    $type1 = $_FILES["file1"]["type"];
    $type2 = $_FILES["file2"]["type"];
    $size1 = $_FILES["file1"]["size"];
    $size2 = $_FILES["file2"]["size"];
    $SIZE_LIMIT = 18 * 1024;

    if (($size1 < $SIZE_LIMIT) && ($size2 < $SIZE_LIMIT)) {
        if (($type1 == "application/pdf") && ($type2 == "application/pdf")) {
            $contents1 = file_get_contents($_FILES["file1"]["tmp_name"]);
            $contents2 = file_get_contents($_FILES["file2"]["tmp_name"]);

            if ($contents1 != $contents2) {
                if (md5_file($_FILES["file1"]["tmp_name"]) == md5_file($_FILES["file2"]["tmp_name"])) {
                    highlight_file("index.php");
                    die();
                } else {
                    echo "MD5 hashes do not match!";
                    die();
                }
            } else {
                echo "Files are not different!";
                die();
            }
        } else {
            echo "Not a PDF!";
            die();
        }
    } else {
        echo "File too large!";
        die();
    }
}

// FLAG: picoCTF{c0ngr4ts_u_r_1nv1t3d_aad886b9}

?>

picoCTF{c0ngr4ts_u_r_1nv1t3d_aad886b9}

Last modified: July 5, 2021

Author

Comments

Write a Reply or Comment

Your email address will not be published.