LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@Taka-C

ACECTF [Web]

Last updated at Posted at 2025-03-01

ACECTFのWeb問

問題

折り畳み I think we can all agree that most of us grew up watching the iconic cartoon Tom & Jerry. Every kid would feel that surge of adrenaline during the thrilling chases and chaotic conflicts between the mischievous mouse and the ever-determined cat. The excitement of those scenes—the heart-pounding moments of escape—sometimes felt almost real.

But then, I heard a little rumor: what if all those chases were fake? What if Tom and Jerry were actually friends all along? That revelation shook me. I had no one to ask about this mind-bending twist, so I decided to take matters into my own hands—I created a web app to settle this question once and for all.

I know the truth now. Do you think you can uncover it too?

https://chal.acectf.tech/Webrypto/

解法

サイトにアクセスしてみるとこんな表示が

<?php
include('flag.php');
highlight_file(__FILE__);

// Check if parameters 'tom' and 'jerry' are not equal
if ($_GET['tom'] != $_GET['jerry']) {
    echo "<br>Parameter 1 Met!<br>";

        if (md5('ACECTF' . $_GET['tom']) == md5('ACECTF' . $_GET['jerry'])) {
        echo $FLAG;  // If the condition is true, print the flag
    }
}
?>

?tom=XXX&&jerry=YYYで
MD5(ACECTFXXX)とMD5(ACECTFYYY)のハッシュ値を一致させたいらしい。

phpの「===」ではなく「==」を使っているのでMD5した値が0e...(数字)で始まる値だと勝手に0として比較してくれる。

ということで、ACECTF+{数値}によってMD5が衝突できる値を見つけるコードを作ってもらった。

md5.py
import hashlib
import itertools
def md5_hash(s: str) -> str:
    return hashlib.md5(s.encode()).hexdigest()
def find_zeroe_prefix_collisions(prefix: str, num_results: int = 2):
    found = []
    digits = "0123456789"
    length = 1
    while len(found) < num_results:
        print(f"Trying length: {length}...")
        for candidate in itertools.product(digits, repeat=length):
            suffix = ''.join(candidate)
            test_string = f"{prefix}{suffix}"
            hash_result = md5_hash(test_string)
            if hash_result.startswith("0e") and hash_result[2:].isdigit():
                print(f"Found: {test_string} -> {hash_result}")
                found.append(test_string)
                if len(found) >= num_results:
                    return found
        length += 1
    return found
prefix = "ACECTF"
collisions = find_zeroe_prefix_collisions(prefix)
print("Collisions found:", collisions)

結果

Found: ACECTF56897191 -> 0e596553413345985557682975557565
Found: ACECTF017140327 -> 0e420224540857325271333424630559

なので、
/?tom=56897191&jerry=017140327でフラグゲット!

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?