rss
twitter
  •  

Using the SHA1 collision attack to solve the BostonKeyParty CTF challenge

| Posted in Security Articles |

1

  • Sumo

This is a writeup to the Boston Key Party CTF 2017 Prudential challenge – which I took part in over the weekend. .

I viewed the source of the webpage and found out an index.txt file was being referenced.

Snippets below:

<?php
require 'flag.php';
if (isset($_GET['name']) and isset($_GET['password'])) {
    $name = (string)$_GET['name'];
    $password = (string)$_GET['password'];
    if ($name == $password) {
        print 'Your password can not be your name.';
    } else if (sha1($name) === sha1($password)) {
      die('Flag: '.$flag);
    } else {
        print '<p class="alert">Invalid password.</p>';
           }
} ?>

 

Two conditions need to be met here – to display the flag.

  1. The $name entered must not be the same as the $password
  2. The sha1($name) must be the same as sha1($password)

 

My thought-process at this point was to have different values for $name and $password but with the same sha1 signature. What immediately comes to mind is the SHA1 Collision attack recently revealed by the google team.

According to the google team, “It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.”

Two different PDF files with the same checksum are available here:

http://shattered.io/static/shattered-1.pdf

http://shattered.io/static/shattered-2.pdf

I then came up with a quick and dirty python script to do the job. This script takes the value of the first pdf as parameter “name” and the second pdf as parameter “password”

import requests
import urllib2
rotimi = urllib2.urlopen("http://shattered.io/static/shattered-1.pdf").read()[:500];
letmein = urllib2.urlopen("http://shattered.io/static/shattered-2.pdf").read()[:500];
 
r = requests.get('http://54.202.82.13/', params={'name': rotimi, 'password': letmein});
print r.text

After running this, I got the flag : FLAG{AfterThursdayWeHadToReduceThePointValue}

Comments (1)

Thanks and i'm terribly grateful to urge a giant benefits,here may be a provide to require on-line video course and certification probability.i have  a dream i need to hitch some cyber security team in our country that is why i'm probing for a on-line course,i want to find out Offensive Security
Mobile App Security, Network Security, internet  App Security, Exploit Development,etc. Please facilitate to to offer AN recommendation what is going to be the simplest on behalf of me. that course would facilitate American state in gaining hacking and cyber security skills: BSIT, BSSE or BSCS?

Post a comment