Post

PicoCTF - It is my Birthday

  1. The website lands us on an upload functionality:

  2. Let’s create a PDF file and try to upload it:

  3. Let’s create a different PDF file and try:

  4. Let’s calculate the MD5 hashes of our PDFs:

    1
    2
    3
    4
    5
    
     $ md5sum test.pdf
     7d2a156b9a52b714cdbbbd7f3b10dc67  test.pdf
    
     $ md5sum test1.pdf
     db5a11f395bb3568f3fd03467049b5e7  test1.pdf
    
  5. So we have to find two different files, ideally PDFs, with the same MD5 hash!

Solution 1

  1. If we search Google for “MD5 hash collision GitHub” we will find the corkami’s collisions repository. There is a PDF section which includes the following examples:

  2. We can download these PDF files, poeMD5_A.pdf and poeMD5_B.pdf, and check their MD5 hashes:

    1
    2
    3
    4
    5
    
     $ md5sum poeMD5_A.pdf
     b347b04fac568905706c04f3ba4e221d  poeMD5_A.pdf
    
     $ md5sum poeMD5_B.pdf
     b347b04fac568905706c04f3ba4e221d  poeMD5_B.pdf
    
  3. Now everything should be ready to go:

Solution 2

  1. There is also Selinger’s MD5 Collision Demo which includes different binaries with the same MD5 hash:

  2. Let’s check the binaries’ MD5 hashes, and then try to upload them:

    1
    2
    3
    4
    5
    
     $ md5sum erase
     da5c61e1edc0f18337e46418e48c1290  erase
    
     $ md5sum hello
     da5c61e1edc0f18337e46418e48c1290  hello
    

  3. We can try changing the MIME type of the binaries using Burp:

This post is licensed under CC BY 4.0 by the author.