Rating:

Easy Pisy
---------
We were given a [website](http://5a7f02d0.quals2018.oooverflow.io) with two PHP files: sign.php and execute.php, as well as two example PDF files.

Looking at the source code, which was available, the sign.php endpoint received a PDF file, extracted the text using ocrad, an OCR software, signed it using openssl_sign with a private key that, of course, we could not access, and returned the signature. The server signed only files containing the text ECHO (but not EXECUTE).

The execute.php endpoint received via a POST request a file, userfile, and a signature, signature, verified the signature using openssl_verify, and extracted the text using the same pdf_to_text function used in sign.php. Then, if the text starts with ECHO, it just prints the OCRed text; instead, if the text starts with EXECUTE, it passes the OCRed text to shell_exec.

Clearly, we must find a way to sign a PDF file containing an image of a text that starts with EXECUTE, but our signing endpoint refuses to sign files that start with EXECUTE.

Looking at the PHP documentation for openssl_sign(), we observe that the default algorithm (the one it's used) is SHA1. Thus, we immediately thought of the (not-so-recently-discovered-anymore) SHA-1 collision technique (https://shattered.io/static/shattered.pdf). Indeed, if we could create two different PDF files that hash to the same SHA1 value, we could execute arbitrary commands and cat our flag.

To create colliding PDFs, we used this online SHA collider: https://alf.nu/SHA1 to obtain two files echo.pdf and execute.pdf, one with a harmless ECHO /bin/cat flag; command, and the other one with EXECUTE /bin/cat flag;, both with the same SHA1 hash.

Once we have the two colliding files, it is only a matter of:

curl -F "userfile=@echo.pdf" http://5a7f02d0.quals2018.oooverflow.io/sign.php

to sign the harmless file:

Executing 'convert -depth 8 /tmp/phpMWWbFu.pdf /tmp/phpMWWbFu.ppm'
Extracted text: "ECHO /bin/cat flag;"
I'm OK with ECHO commands. Here is the signature:
819c7fd2fc0b00849e01a1f5825001684b51f3e8664c004fc08e64b60c67a1efc9fd2ef030fc1e3458fee51a10aa2b1c9e125f49c6757ded05da9b6f050d8c625262654b68d24042cff1645230d1b3a51b51bc9eebc34d6c7c2759b50b050176ce0cea61dd3748d4a075ecf67767eb4f853ed8b741b8e3e7ebd66b34321af4b789f9b39e72c46d88be2beb84d32a844b76ca96685fa54590462af035d508947fb1d5bcf20b0592b77d9ab70e4f2c6d8995f50469befce3c9372b56c3b5d8ccd48b220a96fdf29b7b2499f49bf7d9fb3c87e3dfa3fa818561739b89b3aae54f4ce5e6c24d012598009fa3cddf12ae94f2d3554d22fdba379105c5fe6b1b71abd0


At this point,

curl -F "userfile=@execute.pdf" -F "signature=cat signature.txt" http://5a7f02d0.quals2018.oooverflow.io/execute.php



Flag: OOO{phP_4lw4y5_d3l1v3r5_3h7_b35T_fl4g5}