Tags: sha1 collision pdf 

Rating: 3.0

## 104 Easy Pisy ##

(crypto, web)

**Files provided**

- `samples.tgz` - an archive containing
- `echo-ciao.pdf` - a PDF with the text "ECHO ciao"
- `echo-ciao.sign` - signature for `echo-ciao.pdf`
- `execute-ls.pdf` - a PDF with the text "EXECUTE ls"
- `execute-ls.sign` - signature for `execute-ls.pdf`

**Description**

The target website contained two forms - one to upload a PDF file and have the server sign it, and another one to upload a PDF file with a signature and have the server execute it.

**Solution**

After some testing and viewing the PHP file sources (via public debug parameter), it was clear that the server is using ImageMagick to `convert` the PDF file into a PPM bitmap, then using `ocram` to read the text visually. The signing was done via `openssl_sign` and `openssl_verify`, using the default SHA algorithm, but then encrypting the signature using RSA. Uploading the given `EXECUTE ls` file with its proper signature revealed that the public and private key are in the same directory, but the access was forbidden. There was also a `flag` file, likewise inaccessible.

I spent way too long trying to figure out something clever for this one. I knew about the SHAttered attack but for some reason I thought it still takes a long time to actually construct two matching files. So, in my fumbling around I learnt a bunch about how PDFs work, and was trying / considering these attack vectors:

- length extension attack - impossible since the signature is encrypted
- make the PDF file include `flag` via filespec - PDF embedded files can't actually be displayed as content (AFAIK)
- `openssl_verify` wasn't checked properly, trip it up by sending malformed signature? - no luck
- OCR exploit - ???

So, in the end … Simply use [sha1collider](https://github.com/nneonneo/sha1collider). Make a PDF that just shows "EXECUTE cat flag", then `python3 collide.py execute-ls.pdf execute-catflag.pdf` and done. At least I learnt something! `OOO{phP_4lw4y5_d3l1v3r5_3h7_b35T_fl4g5}`