Tags: web in_depth
Rating:
# It is my Birthday
Category: Web Exploitation
AUTHOR: MADSTACKS
## Description
```
I sent out 2 invitations to all of my friends for my birthday! I'll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn't believe how long it took me to find a collision. Anyway, see if you're invited by submitting 2 PDFs to my website.
```
## The gimmick
So someone "secured" their invite cards by making sure that the MD5 hash of their two invites are the same. This is all nice and dandy, except for one problem. MD5 is known to have Hash collisions! "What's that?":
```
+-----------------+
Plain text ====> | Hash function | ====> Hash
+-----------------+
```
This is basically what you can imagine under hashing. One important thing to note, is that one of the required properties for a hash function is that it is irreversible, ie. unlike encryption there is no inverse function that can recover the plaintext from the hash. The other important property is, that for each unique input we should generate a unique output:
```
+-----------------+
Message 1 ====> | Hash function | ====> Hash 1
+-----------------+
+-----------------+
Message 2 ====> | Hash function | ====> Hash 2
+-----------------+
```
Where the following is true:
```
Hash 1 != Hash 2
```
## The solution
Great! So no way we could possibly solve this challenge.... well that is obviously not true. We've established before that MD5 is vulnerable and collisions have been found before. Like [here](https://www.mscs.dal.ca/~selinger/md5collision/). This is also where I found my files.
```
hello.exe
erase.exe
```
Simply change the file extension to `.pdf`. Upload to this beautiful website.
![website](./website.png)
And then get the following result:
```php
<html lang="en">
<head>
<title>It is my Birthday</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css" rel="stylesheet">
<link href="https://getbootstrap.com/docs/3.3/examples/jumbotron-narrow/jumbotron-narrow.css" rel="stylesheet">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<div class="header">
<h3 class="text-muted">It is my Birthday</h3>
</div>
<div class="jumbotron">
© PicoCTF
</div>
<script>
$(document).ready(function(){
$(".close").click(function(){
$("myAlert").alert("close");
});
});
</script>
</body>
</html>
```
`picoCTF{c0ngr4ts_u_r_1nv1t3d_da36cc1b}` Here it is :)