Points: 100
Tags: picoCTF 2021, Web Exploitation
Author: MADSTACKS
Description:
I sent out 2 invitations to all of my friends for my birthday!
I'll know if they get stolen because the two invites look similar, and they even have the same md5 hash,
but they are slightly different! You wouldn't believe how long it took me to find a collision.
Anyway, see if you're invited by submitting 2 PDFs to my website.
http://mercury.picoctf.net:50970/
Hints:
1. Look at the category of this problem.
2. How may a PHP site check the rules in the description?
Challenge link: https://play.picoctf.org/practice/challenge/109
Browsing to the web site you get a form with the possibility to upload two files.
The HTML-source of the page looks like this (with some empty lines removed)
<!DOCTYPE html>
<html lang="en">
<head>
<title>It is my Birthday</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css" rel="stylesheet">
<link href="https://getbootstrap.com/docs/3.3/examples/jumbotron-narrow/jumbotron-narrow.css" rel="stylesheet">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<div class="header">
<h3 class="text-muted">It is my Birthday</h3>
</div>
<div class="jumbotron">
<p class="lead"></p>
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-12">
<h3>See if you are invited to my party!</h3>
</div>
</div>
<br/>
<div class="upload-form">
<form role="form" action="/index.php" method="post" enctype="multipart/form-data">
<div class="row">
<div class="form-group">
<input type="file" name="file1" id="file1" class="form-control input-lg">
<input type="file" name="file2" id="file2" class="form-control input-lg">
</div>
</div>
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-12">
<input type="submit" class="btn btn-lg btn-success btn-block" name="submit" value="Upload">
</div>
</div>
</form>
</div>
</div>
</div>
<footer class="footer">
<p>© PicoCTF</p>
</footer>
</div>
<script>
$(document).ready(function(){
$(".close").click(function(){
$("myAlert").alert("close");
});
});
</script>
</body>
</html>Uploading different files gives you the following constraints:
- The files can't be too large (not larger than 15-20 KB or so)
- The files need to be PDF-files
- The file type check is file extension based rather than magic number based
- The files need to have the same md5 hash
Rather than creating files myself I turned to Corkami's collision example page on GitHub where I downloaded:
After uploading these two files you get the PHP source code back with the flag embedded as a comment.
For additional information, please see the references below.