Bridge Safe Labs Logo

MD5 Collision

/ CTF
Installing OpenCTI for Threat Monitoring

This past Thursday, Kevin and I encountered a Capture the Flag, or CTF, that required us to perform an MD5 Collision.

Summary:

If you want some quick references here is MD5 collisions explained by OWASP and here is a really good example from John D. Cook. Keep reading if you’d like to hear our version of what happened in a retired challenge from HackTheBox called “alphascii clashing”.

MD5, or the Message-Digest Algorithm, a mathematical hashing algorithm that can verify the integrity, or lack of tampering, has been cracked. Carnegie Mellon University cracked the code in 2008 that made this hashing method unusable. Someone eventually came up with SHA-2 and SHA-3 which we can talk more about another time.

Basic Math Reasoning:

Password1 → Lots of MATH of MD5 → 2ac9cb7dc02b3c0083eb70898e549b63

So, by inference, you might assume that if we have the same hash performed by MD5 and send it to the same server it might get confused and give us some information? You would be correct.

Here is a visual with Session ID:

Drawing1

After connecting to the VPN, starting the instance, and downloading the pertinent files, we came across one singular file called “server.py”. Using the mousepad app in our Kali box, we opened up the file to examine it.

Observations:

  • Using MD5
  • Using json

    • Since we just talked about MD5 above, I’ll spare you. Json (Jason DURULO just kidding, JavaScript Object Notation) formatting is a fancy way to write and tell the program what to do. Isn’t that a lot of coding? Yes.

    JSON syntax includes:

  • Swirly or curly braces {..} to hold objects
  • Square brackets [..] to hold arrays (ordered elements)
  • Colons : to separate name-value pairs
  • Commas , to separate name-value pairs and array items

    • Example: {“name”: “Ann”, “company”: “BridgeSafeLabs”}

    Now that the first two observations are out of the way, we looked at the rest of the code and saw that it was programmed to “login” to something. Assuming this “something” grabs us the flag.

    We first tried registering and logging in many times in multiple different ways trying to grab the flag. This was us testing the program and how it would work.

    Then taking a second look at the python script, we see that we want to get an “unexpected” result. How does one get an unexpected result?

    Kevin brought some prior knowledge to the game and suggested we do an MD5 collision.We had to search the internet a bit for a good example and eventually found John D. Cook’s example in a tweet! How convenient!

    With the recipe in hand, JSON, MD5 collision hashes, and the script we were able to grab the flag by creating an MD5 collision.

    - Ann

    Next Post Previous Post

    To Top