Tags: collision dm5 protobuf
Rating:
tl;dr:
1. Notice that protobuf ignores fields with ids other than those in the protocol definition
2. Use UniColl to create two messages where a single bitflip on byte 10 changes the packet definition
3. Cache "nice" packet on the server and then send malicious packet with the same md5
Full writeup: https://github.com/p4-team/ctf/tree/master/2019-09-21-dragonctf/lookingglass