Writeups
THM When Hearts Colide
Recon:
We first get all our exposed ports from Nmap, to see what we can work with. After that, we want to see what is the structure of the website, we’ll use FFUF to enumerate addresses we can work with.
nmap -sV -sC -v 10.65.149.102
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 7c:9c:0c:07:d1:06:75:d7:8e:0f:54:94:4f:1a:88:c4 (ECDSA)
|_ 256 b3:b9:47:d2:8f:d0:40:b1:0d:19:7d:96:70:95:57:e3 (ED25519)
80/tcp open http nginx
| http-methods:
|_ Supported Methods: GET OPTIONS HEAD
|_http-title: Matchmaker
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We ffuf to find more info
ffuf -w /usr/share/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt:FUZZ -u http://10.65.149.102/FUZZ
:: Progress: [287/87664] :: Job [1/1] :: 0 req/sec :: Duration:
[0:00:00] :: static [Status: 301, Size: 162, Words: 5,
Lines: 8, Duration: 75ms]
:: Progress: [348/87664] :: Job [1/1] :: 0 req/sec :: Duration:
[0:00:00] :: upload [Status: 405, Size: 153, Words: 16,
Lines: 6, Duration: 64ms]
#### We do the same on /static >ffuf -w
/usr/share/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt:FUZZ
-u http://10.65.149.102/static/FUZZ
:: Progress: [200/87664] :: Job [1/1] :: 0 req/sec :: Duration:
[0:00:00] :: uploads [Status: 301, Size: 162, Words: 5,
Lines: 8, Duration: 63ms]
:: Progress: [1504/87664] :: Job [1/1] :: 625 req/sec :: Duration:
[0:00:02] vendor [Status: 301, Size: 162, Words: 5,
Lines: 8, Duration: 64ms]
:: Progress: [2712/87664] :: Job [1/1] :: 606 req/sec :: Duration:
[0:00:04] fonts [Status: 301, Size: 162, Words: 5,
Lines: 8, Duration: 72ms]
#### Same but on /static/uploads
We get nothing but we are in /static/uploads, we might be able to upload
an image payload. Our upload doesnt work as it test MD5 and returns
nothing. ___
Exploitation:
MD5 isn’t a recommended hashing algo because of collision so lets try to find one
In order to find a collision in our hashes we’re going to use FastColl. This program enables us to quickly create 2 files with the same md5 but different payloads. We can then call to one of our files and have the other one run.
Install FastColl through Docker following the instruction on the FastColl github.
First we need to create a prefix file to prepend to our jpg file
\xFF\x08\xFF\xFE\x00\x82
printf '\xFF\x08\xFF\xFE\x00\x82' > prefix.bin
Next, we run the prefix through our docker command
docker run --rm -it -v "$PWD:/work" -w /work -u "$(id -u):$(id -g)" brimstone/fastcoll --prefixfile prefix.bin -o msg1.jpg msg2.jpg
Finally, we take both our files run them through the app and it returns our hash
THM{hash_puppies_4_all}
Notes:
This is a rather straightforward machines that displays quite simply why and how MD5 collision work. This exercise is quite explicit on when a collision has worked but in the wild this would be harder to spot. However, the functionnality remains the same, if a system is using MD5 to verify its file and we create a malicious file with the SAME MD5 signature, we could then use the malicious file has if it was the verified file.