picoCTF It is my Birthday [100 points]
It is my Birthday
points:100
Description
I sent out 2 invitations to all of my friends for my birthday! I’ll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn’t believe how long it took me to find a collision. Anyway, see if you’re invited by submitting 2 PDFs to my website. http://mercury.picoctf.net:50970/
Hint
Look at the category of this problem.
How may a PHP site check the rules in the description?
Solution
一進來網頁後看到可以上傳檔案,根據題目的提示似乎要檢查上傳pdf檔且md5值要一致
思路:自己產出一個兩個不同的字串但有相同的 PREFIX 和相同的 md5 值的檔案且副檔名要為pdf
首先先安裝fastcoll這個工具
sudo apt install libboost-filesystem-dev libboost-program-options-dev
git clone https://github.com/brimstone/fastcoll.git
cd fastclone
g++ -O3 *.cpp -lboost_filesystem -lboost_program_options -lboost_system -o fastcoll -static && strip fastcoll
執行完後會在當前目錄產生fastoll執行檔,之後創建任意一個檔案當作prefix標準
touch ntust
使用指令產出兩個pdf檔案(兩個不同的字串但有相同的 PREFIX 和相同的 md5 值的檔案)
./fastcoll -p ntust -o ../1.pdf ../2.pdf
把檔案丟上去並送出,拿到此php source code
<?php
if (isset($_POST["submit"])) {
$type1 = $_FILES["file1"]["type"];
$type2 = $_FILES["file2"]["type"];
$size1 = $_FILES["file1"]["size"];
$size2 = $_FILES["file2"]["size"];
$SIZE_LIMIT = 18 * 1024;
if (($size1 < $SIZE_LIMIT) && ($size2 < $SIZE_LIMIT)) {
if (($type1 == "application/pdf") && ($type2 == "application/pdf")) {
$contents1 = file_get_contents($_FILES["file1"]["tmp_name"]);
$contents2 = file_get_contents($_FILES["file2"]["tmp_name"]);
if ($contents1 != $contents2) {
if (md5_file($_FILES["file1"]["tmp_name"]) == md5_file($_FILES["file2"]["tmp_name"])) {
highlight_file("index.php");
die();
} else {
echo "MD5 hashes do not match!";
die();
}
} else {
echo "Files are not different!";
die();
}
} else {
echo "Not a PDF!";
die();
}
} else {
echo "File too large!";
die();
}
}
// FLAG: picoCTF{c0ngr4ts_u_r_1nv1t3d_73b0c8ad}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<title>It is my Birthday</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css" rel="stylesheet">
<link href="https://getbootstrap.com/docs/3.3/examples/jumbotron-narrow/jumbotron-narrow.css" rel="stylesheet">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<div class="header">
<h3 class="text-muted">It is my Birthday</h3>
</div>
<div class="jumbotron">
<p class="lead"></p>
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-12">
<h3>See if you are invited to my party!</h3>
</div>
</div>
<br/>
<div class="upload-form">
<form role="form" action="/index.php" method="post" enctype="multipart/form-data">
<div class="row">
<div class="form-group">
<input type="file" name="file1" id="file1" class="form-control input-lg">
<input type="file" name="file2" id="file2" class="form-control input-lg">
</div>
</div>
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-12">
<input type="submit" class="btn btn-lg btn-success btn-block" name="submit" value="Upload">
</div>
</div>
</form>
</div>
</div>
</div>
<footer class="footer">
<p>© PicoCTF</p>
</footer>
</div>
<script>
$(document).ready(function(){
$(".close").click(function(){
$("myAlert").alert("close");
});
});
</script>
</body>
</html>
flag: picoCTF{c0ngr4ts_u_r_1nv1t3d_73b0c8ad}
本部落格所有文章除特別聲明外,均採用 CC BY-NC-SA 4.0 許可協議。轉載請註明來自 LuYee6813's Blog | 技術分享!