2017::SECCON::Write-up

CTF SECCON

Word count: 187Reading time: 1 min

 2017/12/18  Share

SHA-1 is dead - 100 point

SHA-1 is dead
http://sha1.pwn.seccon.jp/
Upload two files satisfy following conditions:

file1 != file2
SHA1(file1) == SHA1(file2)
SHA256(file1) <> SHA256(file2)
2017KiB < sizeof(file1) < 2018KiB
2017KiB < sizeof(file2) < 2018KiB
* 1KiB = 1024 bytes

Just download sha1 collision pdf made by Google, then concatenate it with something.
Actually we don’t need to check the result of SHA-256 of two pdf……
Maybe wa can find a SHA-256 collision?

import requests
import urllib2
from  hashlib import sha1
from  hashlib import sha256
import urllib

pdf1 = urllib2.urlopen("http://shattered.io/static/shattered-1.pdf").read()[:500]
pdf2 = urllib2.urlopen("http://shattered.io/static/shattered-2.pdf").read()[:500]

pdf1 = pdf1.ljust( 2065409, "\00") #padding pdf to 2017Kib + 1
pdf2 = pdf2.ljust( 2065409, "\00")

while True:
    check1 = sha256(pdf1).hexdigest()
    check2 = sha256(pdf2).hexdigest()
    if check1 != check2:
        break
    else:
        pdf1  = pdf1+"\00"
        pdf2  = pdf2+"\00"

file1 = open("upload1","w")
file2 = open("upload2","w")
file1.write(pdf1)
file2.write(pdf2)


print sha1(pdf1).hexdigest()
print sha1(pdf2).hexdigest()
print sha256(pdf1).hexdigest()
print sha256(pdf2).hexdigest()
print len(pdf1)
print len(pdf2)

Original Author: Terrynini

Original link: http://blog.terrynini.tw/en/2017-SECCON-Write-up/

Publish at: December 18th 2017, 8:39:47

Next Post

Advance-Algorithm::homework4
Previous Post

Advance-Algorithm::homework3

CATALOG



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true