Please upload 5 Windows console executable files with the same MD5 but with different printed outputs (file type: MS Windows, PE32 executable, console)
The output for the files should be:
File1: All Eindbazen are wearing wooden shoes
File2: All Eindbazen live in a windmill
File3: All Eindbazen grow their own tulips
File4: All Eindbazen smoke weed all day
File5: All Eindbazen are cheap bastards
The Plan
We need…
a win32 binary which is able to produce all of the 5 different outputs
a way to create multiple files with the same MD5 (they checked for that, simply uploading the same file 5 times didn’t work)
a way to decide when to produce which output
The Solution
After some googling we found the tool fastcoll which generates MD5 collisions really fast (a CMake file to create the fastcoll binary is added at the end of this writeup). With fastcoll we were able to create multiple binaries with the same MD5 due to the fact that adding the “same” block to a MD5 calculation will lead to the same MD5. Also it’s no problem to add some additional data at the end of a (win32) binary.
To test the online-checking of the server, we decided to create a binary which connects back to one of our machines and sends us the filename.
Surprisingly there were a lot of connections, much more than the 5 we expected (from the number of binaries we uploaded).
Seems that this was a prevention against lucky guessing by executing the binary multiple times.
But more interesting was the fact that each name of the executed binary looked like ${randomdata}.${nr_of_binary} (There were more deterministic parts in the random part, but I din’t write them down during the CTF).
So we changed the binary to print the specific output depending on the last char of the filename.
Uploaded the binaries, and voila got the flag.
The Code
binary code
12345678910111213141516171819
#include <stdio.h>#include <string.h>//gcc-Wall-obin400.exebin400.cintmain(intargc,char*argv[]){charc=argv[0][strlen(argv[0])-1];if(c=='1')printf("All Eindbazen are wearing wooden shoes");elseif(c=='2')printf("All Eindbazen live in a windmill");elseif(c=='3')printf("All Eindbazen grow their own tulips");elseif(c=='4')printf("All Eindbazen smoke weed all day");elseprintf("All Eindbazen are cheap bastards");return1;}