CTFtime.org / ISITDTU CTF 2020 Finals / Magic Dude5 / Writeup

# Magic Dude5 (Cryptography - 323 pts - first blood)

### Another first blood victory for STeam!

[The server code](https://github.com/CTF-STeam/ctf-writeups/blob/master/2020/ISITDTU%20Finals/Magic%20Dude5/server.py) is quite simple:
- You have to provide 2 different commands in hex format
- The commands must have the same md5 hash
- The first command must contain the string 'DTU', n bytes before 'DTU' must be the same as the last n bytes
- If all conditions are met, those n bytes will be used as the command to be executed
- To make things a bit more complicated, the commands are zero-padded to make their lengths multiples of 64 (even when the lengths are already multiples of 64 :angry:)

This mean we have to create an md5 collision. The ultimate guide for md5 collision is here: [https://github.com/corkami/collisions](https://github.com/corkami/collisions). The page describes various collision attacks, also there's one more important piece of information you cannot miss in order to solve this challenge:

> MD5 and SHA1 work with blocks of 64 bytes.
>
> If two contents A & B have the same hash, then appending the same contents C to both will keep the same hash.
> ``` text
> hash(A) = hash(B) -> hash(A + C) = hash(B + C)
> ```

Now we have all we need to create the md5 collision that passes all the conditions:
- For each command, we append `0;` before it (to bypass the weird padding stuff)
- Use [FastColl](https://www.win.tue.nl/hashclash/) to create 2 strings with the same hash
- We append each string with the block of 64 bytes, with the command as the suffix
- Send the 2 strings to the server (without the first `0`, the server will )
- Profit!!!

Example:

- Command: `0;ls . DTU # ` (the `.` and `#` are actually not needed)
- After FastColl:
```
msg1:
30 3B 6C 73 20 2E 20 44 54 55 20 23 20 00 00 00 0;ls . DTU # ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
6A 88 7D 53 18 40 D8 03 76 32 FD 71 AB ED 2B C5 jˆ}S.@Ø.v2ýq«í+Å
12 CF 8A 54 F2 15 26 C0 3F E2 76 09 A9 2D 26 8D .ÏŠTò.&À?âv.©-&.
0E B1 0C C0 80 A7 C1 9F 0B 08 56 44 EB 77 48 60 .±.À€§ÁŸ..VDëwH`
44 56 39 55 28 E6 3D 5B 2D F3 B4 95 BF A5 9B F5 DV9U(æ=[-ó´•¿¥›õ
7A 15 F9 2C 78 86 6B 00 C0 09 4A 3D 56 70 50 24 z.ù,x†k.À.J=VpP$
F1 36 D6 61 4B 7B 35 EB 7E 59 E0 57 5B 9C 6B C1 ñ6ÖaK{5ë~YàW[œkÁ
DD 04 C9 EE 06 F2 82 BF 1A 97 EB 50 B3 5C D0 0A Ý.Éî.ò‚¿.—ëP³\Ð.
14 A5 88 6B 0F 28 8A 48 28 D3 FC 40 7B C2 2A 30 .¥ˆk.(ŠH(Óü@{Â*0

msg2:
30 3B 6C 73 20 2E 20 44 54 55 20 23 20 00 00 00 0;ls . DTU # ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
6A 88 7D 53 18 40 D8 03 76 32 FD 71 AB ED 2B C5 jˆ}S.@Ø.v2ýq«í+Å
12 CF 8A D4 F2 15 26 C0 3F E2 76 09 A9 2D 26 8D .ÏŠÔò.&À?âv.©-&.
0E B1 0C C0 80 A7 C1 9F 0B 08 56 44 EB F7 48 60 .±.À€§ÁŸ..VDë÷H`
44 56 39 55 28 E6 3D 5B 2D F3 B4 15 BF A5 9B F5 DV9U(æ=[-ó´.¿¥›õ
7A 15 F9 2C 78 86 6B 00 C0 09 4A 3D 56 70 50 24 z.ù,x†k.À.J=VpP$
F1 36 D6 E1 4B 7B 35 EB 7E 59 E0 57 5B 9C 6B C1 ñ6ÖáK{5ë~YàW[œkÁ
DD 04 C9 EE 06 F2 82 BF 1A 97 EB 50 B3 DC CF 0A Ý.Éî.ò‚¿.—ëP³ÜÏ.
14 A5 88 6B 0F 28 8A 48 28 D3 FC C0 7B C2 2A 30 .¥ˆk.(ŠH(ÓüÀ{Â*0

(MD5: 6d81b47f5fb0ccc08684f128704c8116)
```
- Append the suffix:
```
msg1:
30 3B 6C 73 20 2E 20 44 54 55 20 23 20 00 00 00 0;ls . DTU # ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
6A 88 7D 53 18 40 D8 03 76 32 FD 71 AB ED 2B C5 jˆ}S.@Ø.v2ýq«í+Å
12 CF 8A 54 F2 15 26 C0 3F E2 76 09 A9 2D 26 8D .ÏŠTò.&À?âv.©-&.
0E B1 0C C0 80 A7 C1 9F 0B 08 56 44 EB 77 48 60 .±.À€§ÁŸ..VDëwH`
44 56 39 55 28 E6 3D 5B 2D F3 B4 95 BF A5 9B F5 DV9U(æ=[-ó´•¿¥›õ
7A 15 F9 2C 78 86 6B 00 C0 09 4A 3D 56 70 50 24 z.ù,x†k.À.J=VpP$
F1 36 D6 61 4B 7B 35 EB 7E 59 E0 57 5B 9C 6B C1 ñ6ÖaK{5ë~YàW[œkÁ
DD 04 C9 EE 06 F2 82 BF 1A 97 EB 50 B3 5C D0 0A Ý.Éî.ò‚¿.—ëP³\Ð.
14 A5 88 6B 0F 28 8A 48 28 D3 FC 40 7B C2 2A 30 .¥ˆk.(ŠH(Óü@{Â*0
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 30 3B 6C 73 20 2E 20 0;ls .

(MD5: a3e953ee34b12c06214f019e05d15cfb)
```

Now time to send the commands to the server:
```
$ nc 34.68.99.117 4444
Type your command here: 3B6C73202E204454552023200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006A887D531840D8037632FD71ABED2BC512CF8A54F21526C03FE27609A92D268D0EB10CC080A7C19F0B085644EB7748604456395528E63D5B2DF3B495BFA59BF57A15F92C78866B00C0094A3D56705024F136D6614B7B35EB7E59E0575B9C6BC1DD04C9EE06F282BF1A97EB50B35CD00A14A5886B0F288A4828D3FC407BC22A30202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020303B6C73202E20
Retype your command here: 3B6C73202E204454552023200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006A887D531840D8037632FD71ABED2BC512CF8AD4F21526C03FE27609A92D268D0EB10CC080A7C19F0B085644EBF748604456395528E63D5B2DF3B415BFA59BF57A15F92C78866B00C0094A3D56705024F136D6E14B7B35EB7E59E0575B9C6BC1DD04C9EE06F282BF1A97EB50B3DCCF0A14A5886B0F288A4828D3FCC07BC22A30202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020303B6C73202E20
secret
server.py
0
```

Next command: `0;cat *DTU # `
```
$ nc 34.68.99.117 4444
Type your command here: 3B636174202A44545520232000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000098FA3DCA376CDA2F86508BBBB633B3C6130B5EE5E8E039361EEE787E2A040E27B9C1CECA7AD419E2EB6DCADB02AE176093280DE3C1735EBD400CC5B016414D05B32A6AA74C53D2EFD3B9AF09C5800218CC0F73562F063E27D31A7E37EC07E263F68DBE19F68CD85168906C2F7944F62A118EDCD0FAB1D7B8901B8F3B5BB59D01202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020303B636174202A
Retype your command here: 3B636174202A44545520232000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000098FA3DCA376CDA2F86508BBBB633B3C6130B5E65E8E039361EEE787E2A040E27B9C1CECA7AD419E2EB6DCADB022E186093280DE3C1735EBD400CC53016414D05B32A6AA74C53D2EFD3B9AF09C5800218CC0F73D62F063E27D31A7E37EC07E263F68DBE19F68CD85168906C2F79C4F52A118EDCD0FAB1D7B8901B8FBB5BB59D01202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020303B636174202A
#python3
from hashlib import md5
from binascii import unhexlify
from os import system

def padding(text):
pad = ('\x30'*(64 - (len(text) % 64))).encode('utf-8')
return pad+text

def get_block(intro):
unhex = unhexlify(str(input(intro)))
return (padding(unhex))

cmd = get_block('Type your command here: ')
recmd = get_block('Retype your command here: ')

check1 = md5(cmd).hexdigest()
check2 = md5(recmd).hexdigest()

#Sector1
checkpoint=0
for i in range(len(cmd)):
if cmd[i:i+3] == b'DTU':
checkpoint=i
break
else:
checkpoint=0

#Sector2 (Remember only 'ls' and 'cat' with no option are allowed)
if len(cmd) == len(recmd) and cmd != recmd and check1 == check2:
if checkpoint == 0:
print ('Wrong checkpoint')
elif cmd[:checkpoint] == cmd[-checkpoint:]:
output = system(cmd[:checkpoint])
print (output)
else:
print ('''Nope! You're not a Magician, Dude5.''')
256
```

Looks like `secret` is not a file. Let's verify with the next command: `0;ls -alDTU `
```
$ nc 34.68.99.117 4444
Type your command here: 3B6C73202D616C4454552000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000312BE3517B5E4F2A3C75998F0F618EB3E476BDE12C610F4902EE3F9A90230D20CF1306BB4C442E9A6B10B8F3AEEFB0350356ADE4D1576D7DEA40039A392CBA05580713FD1ACE95465C1470B14B9E7427BA8E5B6213E60E2ACB1A6ECDEC860272867CA65A06CBE38E9A4B451778B8C5EA2F65CFC73680651240B38C512C2E9E222020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020303B6C73202D616C
Retype your command here: 3B6C73202D616C4454552000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000312BE3517B5E4F2A3C75998F0F618EB3E476BD612C610F4902EE3F9A90230D20CF1306BB4C442E9A6B10B8F3AE6FB1350356ADE4D1576D7DEA40031A392CBA05580713FD1ACE95465C1470B14B9E7427BA8E5BE213E60E2ACB1A6ECDEC860272867CA65A06CBE38E9A4B45177838C5EA2F65CFC73680651240B38CD12C2E9E222020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020303B6C73202D616C
total 16
drwxr-xr-x 1 root root 4096 Dec 13 01:01 .
drwxr-xr-x 1 root root 4096 Dec 13 01:01 ..
drwxr-xr-x 2 root root 4096 Dec 13 01:00 secret
-rw-r--r-- 1 root root 942 Dec 10 09:22 server.py
0
```

Next command: `0;ls secretDTU`
```
$ nc 34.68.99.117 4444
Type your command here: 3B6C732073656372657444545500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006754932BD3E3E096E634A6191E36D4E73CDEDE5F1F94A3252B327A6DDA9511C05BEBDEC5E26B30A0EB655539F78D5668A7908235152145B0039BE5C8FA4BA5ADCA2F94D646611B5ACF5148755C2671AD1496151785333E1C00956C86D017618DF56F36CE67FB708522431132873C6DFEFD701273DDC1B3A9A15927E34760CDD62020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020303B6C7320736563726574
Retype your command here: 3B6C732073656372657444545500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006754932BD3E3E096E634A6191E36D4E73CDEDEDF1F94A3252B327A6DDA9511C05BEBDEC5E26B30A0EB655539F70D5768A7908235152145B0039BE548FA4BA5ADCA2F94D646611B5ACF5148755C2671AD1496159785333E1C00956C86D017618DF56F36CE67FB70852243113287BC6CFEFD701273DDC1B3A9A15927634760CDD62020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020303B6C7320736563726574
flag.txt
0
```

Now time to get the flag: `0;cat secret/*DTU`
```
$ nc 34.68.99.117 4444
Type your command here: 3B636174207365637265742F2A4454550000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000574B8BCEDE1A58BF3B0C564169B6C1F3A69929F00DA2E4D32B627986AD98A6D1D4F2A3E65E66C8ADE7E7643BECED1A7660942EB8175B55224153B059026CBA3F9830B5480CB1235AE094A681D23C42C48B343E1684BC8C1EFEDC74C64FAD311EE90F3A05B6BB82652E83155A951C4B9EDC04B6E76DD583FF8FDC99796C8ADE662020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020303B636174207365637265742F2A
Retype your command here: 3B636174207365637265742F2A4454550000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000574B8BCEDE1A58BF3B0C564169B6C1F3A69929700DA2E4D32B627986AD98A6D1D4F2A3E65E66C8ADE7E7643BEC6D1B7660942EB8175B55224153B0D9026CBA3F9830B5480CB1235AE094A681D23C42C48B343E9684BC8C1EFEDC74C64FAD311EE90F3A05B6BB82652E83155A959C4A9EDC04B6E76DD583FF8FDC99F96C8ADE662020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020303B636174207365637265742F2A
ISITDTU{y0ur3_a_M4g1c1An_Dude5}
0
```

Original writeup (https://github.com/CTF-STeam/ctf-writeups/tree/master/2020/ISITDTU%20Finals/Magic%20Dude5).

Magic Dude5

Comments

Sign in with