~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • Writeups

    THM When Hearts Colide


    Recon:

    We first get all our exposed ports from Nmap, to see what we can work with. After that, we want to see what is the structure of the website, we’ll use FFUF to enumerate addresses we can work with.

    nmap -sV -sC -v 10.65.149.102

    PORT STATE SERVICE VERSION

    22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    | 256 7c:9c:0c:07:d1:06:75:d7:8e:0f:54:94:4f:1a:88:c4 (ECDSA)
    |_ 256 b3:b9:47:d2:8f:d0:40:b1:0d:19:7d:96:70:95:57:e3 (ED25519)
    80/tcp open http nginx
    | http-methods:
    |_ Supported Methods: GET OPTIONS HEAD
    |_http-title: Matchmaker
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    We ffuf to find more info

    ffuf -w /usr/share/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt:FUZZ -u http://10.65.149.102/FUZZ

    :: Progress: [287/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: static [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 75ms]
    :: Progress: [348/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: upload [Status: 405, Size: 153, Words: 16, Lines: 6, Duration: 64ms]
    #### We do the same on /static >ffuf -w /usr/share/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt:FUZZ -u http://10.65.149.102/static/FUZZ

    :: Progress: [200/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: uploads [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 63ms]
    :: Progress: [1504/87664] :: Job [1/1] :: 625 req/sec :: Duration: [0:00:02] vendor [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 64ms]
    :: Progress: [2712/87664] :: Job [1/1] :: 606 req/sec :: Duration: [0:00:04] fonts [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 72ms]
    #### Same but on /static/uploads
    We get nothing but we are in /static/uploads, we might be able to upload an image payload. Our upload doesnt work as it test MD5 and returns nothing. ___

    Exploitation:

    In order to find a collision in our hashes we’re going to use FastColl. This program enables us to quickly create 2 files with the same md5 but different payloads. We can then call to one of our files and have the other one run.

    Install FastColl through Docker following the instruction on the FastColl github.

    First we need to create a prefix file to prepend to our jpg file

    \xFF\x08\xFF\xFE\x00\x82  
    printf '\xFF\x08\xFF\xFE\x00\x82' > prefix.bin  

    Next, we run the prefix through our docker command

    docker run --rm -it -v "$PWD:/work" -w /work -u "$(id -u):$(id -g)" brimstone/fastcoll --prefixfile prefix.bin -o msg1.jpg msg2.jpg  

    Finally, we take both our files run them through the app and it returns our hash

    THM{hash_puppies_4_all}


    Notes:

    This is a rather straightforward machines that displays quite simply why and how MD5 collision work. This exercise is quite explicit on when a collision has worked but in the wild this would be harder to spot. However, the functionnality remains the same, if a system is using MD5 to verify its file and we create a malicious file with the SAME MD5 signature, we could then use the malicious file has if it was the verified file.