PicoCTF - It is my Birthday

1. The website lands us on an upload functionality:

   

2. Let’s create a PDF file and try to upload it:

   

   

   

3. Let’s create a different PDF file and try:

   

   

   

4. Let’s calculate the MD5 hashes of our PDFs:

    $ md5sum test.pdf
    7d2a156b9a52b714cdbbbd7f3b10dc67  test.pdf
   
    $ md5sum test1.pdf
    db5a11f395bb3568f3fd03467049b5e7  test1.pdf
   

5. So we have to find two different files, ideally PDFs, with the same MD5 hash!

Solution 1

1. If we search Google for “MD5 hash collision GitHub” we will find the corkami’s collisions repository. There is a PDF section which includes the following examples:

   

2. We can download these PDF files, poeMD5_A.pdf and poeMD5_B.pdf, and check their MD5 hashes:

    $ md5sum poeMD5_A.pdf
    b347b04fac568905706c04f3ba4e221d  poeMD5_A.pdf
   
    $ md5sum poeMD5_B.pdf
    b347b04fac568905706c04f3ba4e221d  poeMD5_B.pdf
   

3. Now everything should be ready to go:

   

   

Solution 2

1. There is also Selinger’s MD5 Collision Demo which includes different binaries with the same MD5 hash:

   

2. Let’s check the binaries’ MD5 hashes, and then try to upload them:

    $ md5sum erase
    da5c61e1edc0f18337e46418e48c1290  erase
   
    $ md5sum hello
    da5c61e1edc0f18337e46418e48c1290  hello
   

   

   

3. We can try changing the MIME type of the binaries using Burp: