PicoCTF - It is my Birthday
The website lands us on an upload functionality:
Let’s create a PDF file and try to upload it:
Let’s create a different PDF file and try:
Let’s calculate the MD5 hashes of our PDFs:
1 2 3 4 5
$ md5sum test.pdf 7d2a156b9a52b714cdbbbd7f3b10dc67 test.pdf $ md5sum test1.pdf db5a11f395bb3568f3fd03467049b5e7 test1.pdf
So we have to find two different files, ideally PDFs, with the same MD5 hash!
Solution 1
If we search Google for “MD5 hash collision GitHub” we will find the corkami’s collisions repository. There is a PDF section which includes the following examples:
We can download these PDF files, poeMD5_A.pdf and poeMD5_B.pdf, and check their MD5 hashes:
1 2 3 4 5
$ md5sum poeMD5_A.pdf b347b04fac568905706c04f3ba4e221d poeMD5_A.pdf $ md5sum poeMD5_B.pdf b347b04fac568905706c04f3ba4e221d poeMD5_B.pdf
Now everything should be ready to go:
Solution 2
There is also Selinger’s MD5 Collision Demo which includes different binaries with the same MD5 hash:
Let’s check the binaries’ MD5 hashes, and then try to upload them:
1 2 3 4 5
$ md5sum erase da5c61e1edc0f18337e46418e48c1290 erase $ md5sum hello da5c61e1edc0f18337e46418e48c1290 hello
We can try changing the MIME type of the binaries using Burp: