Maojui

Defcon 2018 - Pisy (Crypto, web, 104)

2018-05-14

Easy Pisy - Crypto , Web

Enter http://5a7f02d0.quals2018.oooverflow.io

you will see Sign your payload and Execute your signed payload two file upload service.

This challenge gives a samples.tgz file for example, showing how this service work.

Service

First service : Server will Recognized pdf input via OCR and sign (by openssl_sign($data, $signature, $privkey), but it will reject to sign on EXECUTE command)

Second one : Give the signed value and pdf, this service will execute the command(extracted by ocr) if the signed verify.

  1. list of directory
1
2
3
4
5
6
7
8
common.php
execute.php
flag
index.nginx-debian.html
index.php
private_key.pem
public_key.pem
sign.php

We found that openssl_sign($data, $signature, $privkey), this function will sha1(data) before signing.

Therefore, draw two command on picture,and put them into the pdf, Google released last year, to get two pdf with sha1 collision
.
send the picutre 1 (without EXECUTE) to first service to get the signature

pass this signature and sha1-collision pdf ( with EXECUTE cat < flag) to get the flag.

Tags: Hash SHA1
PlaidCTF 2018 - Transducipher (Crypto, 350) AIS3 2018 - svega (Misc, 3)