It is my Birthday points:100
Description
I sent out 2 invitations to all of my friends for my birthday! I’ll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn’t believe how long it took me to find a collision. Anyway, see if you’re invited by submitting 2 PDFs to my website. http://mercury.picoctf.net:50970/
Hint
Look at the category of this problem. How may a PHP site check the rules in the description?
Solution 一進來網頁後看到可以上傳檔案,根據題目的提示似乎要檢查上傳pdf檔且md5值要一致
思路:自己產出一個兩個不同的字串但有相同的 PREFIX 和相同的 md5 值的檔案且副檔名要為pdf
首先先安裝fastcoll這個工具
1 2 3 4 sudo apt install libboost-filesystem-dev libboost-program-options-dev git clone https://github.com/brimstone/fastcoll.git cd fastcloneg++ -O3 *.cpp -lboost_filesystem -lboost_program_options -lboost_system -o fastcoll -static && strip fastcoll
執行完後會在當前目錄產生fastoll執行檔,之後創建任意一個檔案當作prefix標準
使用指令產出兩個pdf檔案(兩個不同的字串但有相同的 PREFIX 和相同的 md5 值的檔案)
1 ./fastcoll -p ntust -o ../1.pdf ../2.pdf
把檔案丟上去並送出,拿到此php source code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 <?php if (isset ($_POST ["submit" ])) { $type1 = $_FILES ["file1" ]["type" ]; $type2 = $_FILES ["file2" ]["type" ]; $size1 = $_FILES ["file1" ]["size" ]; $size2 = $_FILES ["file2" ]["size" ]; $SIZE_LIMIT = 18 * 1024 ; if (($size1 < $SIZE_LIMIT ) && ($size2 < $SIZE_LIMIT )) { if (($type1 == "application/pdf" ) && ($type2 == "application/pdf" )) { $contents1 = file_get_contents ($_FILES ["file1" ]["tmp_name" ]); $contents2 = file_get_contents ($_FILES ["file2" ]["tmp_name" ]); if ($contents1 != $contents2 ) { if (md5_file ($_FILES ["file1" ]["tmp_name" ]) == md5_file ($_FILES ["file2" ]["tmp_name" ])) { highlight_file ("index.php" ); die (); } else { echo "MD5 hashes do not match!" ; die (); } } else { echo "Files are not different!" ; die (); } } else { echo "Not a PDF!" ; die (); } } else { echo "File too large!" ; die (); } } ?> <!DOCTYPE html> <html lang="en" > <head> <title>It is my Birthday</title> <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css" rel="stylesheet" > <link href="https://getbootstrap.com/docs/3.3/examples/jumbotron-narrow/jumbotron-narrow.css" rel="stylesheet" > <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js" ></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" ></script> </head> <body> <div class ="container "> <div class ="header "> <h3 class ="text -muted ">It is my Birthday </h3 > </div > <div class ="jumbotron "> <p class ="lead "></p > <div class ="row "> <div class ="col -xs -12 col -sm -12 col -md -12"> <h3 >See if you are invited to my party !</h3 > </div > </div > <br /> <div class ="upload -form "> <form role ="form " action ="/index .php " method ="post " enctype ="multipart /form -data "> <div class ="row "> <div class ="form -group "> <input type ="file " name ="file1 " id ="file1 " class ="form -control input -lg "> <input type ="file " name ="file2 " id ="file2 " class ="form -control input -lg "> </div > </div > <div class ="row "> <div class ="col -xs -12 col -sm -12 col -md -12"> <input type ="submit " class ="btn btn -lg btn -success btn -block " name ="submit " value ="Upload "> </div > </div > </form > </div > </div > </div > <footer class ="footer "> <p >© ; PicoCTF </p > </footer > </div > <script > $(document ).ready (function () { $(".close" ).click (function(){ $("myAlert" ).alert ("close" ); }); }); </script> </body> </html>
flag: picoCTF{c0ngr4ts_u_r_1nv1t3d_73b0c8ad}