NiNi's Den

2017::SECCON::Write-up

CTF SECCON
Word count: 208Reading time: 1 min
2017/12/18

SHA-1 is dead - 100 point

SHA-1 is dead
http://sha1.pwn.seccon.jp/
Upload two files satisfy following conditions:

file1 != file2
SHA1(file1) == SHA1(file2)
SHA256(file1) <> SHA256(file2)
2017KiB < sizeof(file1) < 2018KiB
2017KiB < sizeof(file2) < 2018KiB
* 1KiB = 1024 bytes

Just download sha1 collision pdf made by Google, then concatenate it with something.
Actually we don’t need to check the result of SHA-256 of two pdf……
Maybe wa can find a SHA-256 collision? 

import requests
import urllib2
from  hashlib import sha1
from  hashlib import sha256
import urllib

pdf1 = urllib2.urlopen("http://shattered.io/static/shattered-1.pdf").read()[:500]
pdf2 = urllib2.urlopen("http://shattered.io/static/shattered-2.pdf").read()[:500]

pdf1 = pdf1.ljust( 2065409, "\00") #padding pdf to 2017Kib + 1
pdf2 = pdf2.ljust( 2065409, "\00")

while True:
    check1 = sha256(pdf1).hexdigest()
    check2 = sha256(pdf2).hexdigest()
    if check1 != check2:
        break
    else:
        pdf1  = pdf1+"\00"
        pdf2  = pdf2+"\00"

file1 = open("upload1","w")
file2 = open("upload2","w")
file1.write(pdf1)
file2.write(pdf2)


print sha1(pdf1).hexdigest()
print sha1(pdf2).hexdigest()
print sha256(pdf1).hexdigest()
print sha256(pdf2).hexdigest()
print len(pdf1)
print len(pdf2)

Author:NiNi

Link:http://blog.terrynini.tw/en/2017-SECCON-Write-up/

Publish date:December 18th 2017, 8:39:47 am

Update date:March 23rd 2021, 4:02:39 am

License:This article is licensed under CC BY-NC 4.0

avatar
Terrynini
逆逆逆逆
CATALOG
Total : 42
2024
2023
2022
2021
2020
2019
2018
2017
CTF Reverse HITCON SECCON 0CTF ASIS RealWorldCTF Web CONFidence Flare-On Plaid Pragyan AFL++ QEMU Balsn Algorithm AIS3 Reversing-kr Cryptography Pwn Misc OSCP Travel CSS Dev OS Base64 AVX FaceBook GIF Windows browser Chakra JIT Reversing GameHacking
WriteUp Record Reminder Note TodayILearn