PicoCTF-2021 Writeup
  • README
  • Binary Exploitation
    • Binary Gauntlet 0
    • Binary Gauntlet 1
    • Stonks
    • What's your input?
  • Cryptography
    • Compress and Attack
    • Dachshund Attacks
    • Double DES
    • Easy Peasy
    • It is my Birthday 2
    • It's Not My Fault 1
    • Mini RSA
    • New Caesar
    • New Vignere
    • No Padding, No Problem
    • Pixelated
    • Play Nice
    • Scrambled: RSA
  • Forensics
    • Disk, disk, sleuth!
    • Disk, disk, sleuth! II
    • information
    • MacroHard WeakEdge
    • Matryoshka doll
    • Milkslap
    • Surfing the Waves
    • Trivial Flag Transfer Protocol
    • tunn3l v1s10n
    • Very very very Hidden
    • Weird File
    • Wireshark doo dooo do doo...
    • Wireshark twoo twooo two twoo...
  • Reverse Engineering
    • ARMssembly 0
    • ARMssembly 2
    • ARMssembly 3
    • ARMssembly 4
    • gogo
    • Hurry up! Wait!
    • keygenme-py
    • Let's get dynamic
    • Rolling My Own
    • Shop
    • speeds and feeds
    • Transformation
  • Web Exploitation
    • Ancient History
    • Bithug
    • GET aHEAD
    • It is my Birthday
    • More Cookies
    • Most Cookies
    • Scavenger Hunt
    • Some Assembly Required 1
    • Some Assembly Required 2
    • Some Assembly Required 3
    • Some Assembly Required 4
    • Super Serial
    • Web Gauntlet 2
    • Web Gauntlet 3
    • Who are you?
    • X marks the spot
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Web Exploitation

It is my Birthday

PreviousGET aHEADNextMore Cookies

Last updated 2 years ago

Was this helpful?

Problem

I sent out 2 invitations to all of my friends for my birthday! I'll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn't believe how long it took me to find a collision. Anyway, see if you're invited by submitting 2 PDFs to my website.

Solution

  1. Find some PDFs that collide. I used and .

  2. Upload these PDFs to the server and get the PHP code and flag:

    <?php
    if (isset($_POST["submit"])) {
        $type1 = $_FILES["file1"]["type"];
        $type2 = $_FILES["file2"]["type"];
        $size1 = $_FILES["file1"]["size"];
        $size2 = $_FILES["file2"]["size"];
        $SIZE_LIMIT = 18 * 1024;
    
        if (($size1 < $SIZE_LIMIT) && ($size2 < $SIZE_LIMIT)) {
            if (($type1 == "application/pdf") && ($type2 == "application/pdf")) {
                $contents1 = file_get_contents($_FILES["file1"]["tmp_name"]);
                $contents2 = file_get_contents($_FILES["file2"]["tmp_name"]);
    
                if ($contents1 != $contents2) {
                    if (md5_file($_FILES["file1"]["tmp_name"]) == md5_file($_FILES["file2"]["tmp_name"])) {
                        highlight_file("index.php");
                        die();
                    } else {
                        echo "MD5 hashes do not match!";
                        die();
                    }
                } else {
                    echo "Files are not different!";
                    die();
                }
            } else {
                echo "Not a PDF!";
                die();
            }
        } else {
            echo "File too large!";
            die();
        }
    }
    
    // FLAG: picoCTF{c0ngr4ts_u_r_1nv1t3d_73b0c8ad}
    
    ?>

Flag

picoCTF{c0ngr4ts_u_r_1nv1t3d_73b0c8ad}

http://mercury.picoctf.net:50970/
md5-1.pdf
md5-1.pdf