[Day10] Web 小快樂

2021 iThome 鐵人賽

DAY 10

Security

從 PicoCTF 中跨領域學資訊安全系列第 10 篇

13th鐵人賽

Yvonne

團隊飛天小女警

2021-09-25 23:29:37

1558 瀏覽

分享至

今天又是快樂星期六滑板日,很享受在長板上滑行的感覺
你各位,我發現我昨天不知道在嗨什麼
以為昨天就是鐵人連續發文第10天
結果今天才是,哈哈哈哈
我們今天一樣解 Web
我會寫的比較趕喔,因為我現場寫,而且現在11點
我要跟時間賽跑~

It is my Birthday (100 points)

I sent out 2 invitations to all of my friends for my birthday! I'll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn't believe how long it took me to find a collision. Anyway, see if you're invited by submitting 2 PDFs to my website. http://mercury.picoctf.net:48746/

Hints
1.Look at the category of this problem.
2.How may a PHP site check the rules in the description?

這是連結點下去的樣子

有一個表格,我們可以上傳2個文件看看

<div class="jumbotron">
  <p class="lead"></p>
  <div class="row">
    <div class="col-xs-12 col-sm-12 col-md-12">
      <h3>See if you are invited to my party!</h3>
    </div>
  </div>
  <br/>
  <div class="upload-form">
    <form role="form" action="/index.php" method="post" enctype="multipart/form-data">
    <div class="row">
      <div class="form-group">
        <input type="file" name="file1" id="file1" class="form-control input-lg">
        <input type="file" name="file2" id="file2" class="form-control input-lg">
      </div>
    </div>
    <div class="row">
      <div class="col-xs-12 col-sm-12 col-md-12">
        <input type="submit" class="btn btn-lg btn-success btn-block" name="submit" value="Upload">
      </div>
    </div>
    </form>
  </div>
</div>

我們剛剛上傳2個相同文件,可以來找邏輯

┌──(user@kali)-[/media/sf_CTFs/pico/It_is_my_Birthday]
└─$ echo test > test.txt

┌──(user@kali)-[/media/sf_CTFs/pico/It_is_my_Birthday]
└─$ curl -F 'file1=@test.txt'  -F 'file2=@test.txt' -F 'submit=Upload' http://mercury.picoctf.net:50970/index.php
Not a PDF!

這網站認出我們上傳的其中一個文件,會不會好奇
怎麼確認文件類型?
最快速的方法就是檔名寫清楚

┌──(user@kali)-[/media/sf_CTFs/pico/It_is_my_Birthday]
└─$ mv test.txt test.pdf

┌──(user@kali)-[/media/sf_CTFs/pico/It_is_my_Birthday]
└─$ curl -F 'file1=@test.pdf'  -F 'file2=@test.pdf' -F 'submit=Upload' http://mercury.picoctf.net:50970/index.php
Files are not different!

這是個用 PHP 寫的站,然後阿他有點複雜
我不太會解釋,時間問題我先省略

┌──(user@kali)-[/media/sf_CTFs/pico/It_is_my_Birthday]
└─$ php -r "echo md5('240610708');"
0e462097431906509019562988736854                                                                                                                                                                               
┌──(user@kali)-[/media/sf_CTFs/pico/It_is_my_Birthday]
└─$ php -r "echo md5('QNKCDZO');"
0e830400451993494058024219903391                                                                                                                                                                          
┌──(user@kali)-[/media/sf_CTFs/pico/It_is_my_Birthday]
└─$ php -r "var_dump(md5('240610708') == md5('QNKCDZO'));"
bool(true)

記得 md5 hash 嗎?

┌──(user@kali)-[/media/sf_CTFs/pico/It_is_my_Birthday]
└─$ echo -n "240610708" > f1.pdf

┌──(user@kali)-[/media/sf_CTFs/pico/It_is_my_Birthday]
└─$ echo -n "QNKCDZO" > f2.pdf

┌──(user@kali)-[/media/sf_CTFs/pico/It_is_my_Birthday]
└─$ md5sum f1.pdf f2.pdf
0e462097431906509019562988736854  f1.pdf
0e830400451993494058024219903391  f2.pdf

┌──(user@kali)-[/media/sf_CTFs/pico/It_is_my_Birthday]
└─$ curl -F 'file1=@f1.pdf'  -F 'file2=@f2.pdf' -F 'submit=Upload' http://mercury.picoctf.net:50970/index.php -s | egrep -o "picoCTF{[^}]+}"
picoCTF{c0ngr4ts_u_r_1nv1t3d_73b0c8ad}

flag 就出來囉~