Daddy told me about cool MD5 hash collision today.
I wanna do something like that too!<\/p>\n\n\n\n
ssh col@pwnable.kr -p2222 (pw:guest)<\/p>\n\n\n\n
#include <stdio.h>\n#include <string.h>\nunsigned long hashcode = 0x21DD09EC;\nunsigned long check_password(const char* p){\n\tint* ip = (int*)p;\n\tint i;\n\tint res=0;\n\tfor(i=0; i<5; i++){\n\t\tres += ip[i];\n\t}\n\treturn res;\n}\n\nint main(int argc, char* argv[]){\n\tif(argc<2){\n\t\tprintf(\"usage : %s [passcode]\\n\", argv[0]);\n\t\treturn 0;\n\t}\n\tif(strlen(argv[1]) != 20){\n\t\tprintf(\"passcode length should be 20 bytes\\n\");\n\t\treturn 0;\n\t}\n\n\tif(hashcode == check_password( argv[1] )){\n\t\tsystem(\"\/bin\/cat flag\");\n\t\treturn 0;\n\t}\n\telse\n\t\tprintf(\"wrong passcode.\\n\");\n\treturn 0;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\nhashcode \ubcc0\uc218\uc5d0 0x21DD09EC \uac12\uc774 \ub4e4\uc5b4\uc788\uace0,<\/p>\n\n\n\n
check_password \ud568\uc218\uc5d0\ub294 p \ubb38\uc790\uc5f4\uc744 \uac00\uc838\uc640 int \ud615\uc73c\ub85c \uac15\uc81c \ud615\ubcc0\ud658\uc2dc\ud0a8\ub2e4.
int \ud615\uc2dd\uc758 \ud06c\uae30\ub294 4\ubc14\uc774\ud2b8\uc774\uae30\uc5d0, 4\ubc14\uc774\ud2b8\uc529 5\ubc88 \uc77d\uc5b4\ub4e4\uc5ec res\uc5d0 \ub354\ud558\uace0 \ubc18\ud658\ud55c\ub2e4.<\/p>\n\n\n\n
\uadf8\ub9ac\uace0 \uba54\uc778 \ud568\uc218\uc5d0\ub294 \uc778\uc790\uac00 \uc5c6\uc73c\uba74 usage\ub97c \ucd9c\ub825\ud558\uace0,
1\ubc88\uc9f8 \uc778\uc790\uae38\uc774\uac00 20\uc774 \uc544\ub2c8\uba74 “passcode length should be 20 bytes” \uba54\uc2dc\uc9c0\ub97c \ucd9c\ub825\ud55c\ub2e4.<\/p>\n\n\n\n
hashcode\uac00 check_password(argv[1])\uc758 \ub9ac\ud134\uac12\uacfc \uc11c\ub85c \uac19\uc73c\uba74 flag\ub97c \ucd9c\ub825\ud558\uace0,
\uc544\ub2c8\uba74 “wrong passcode.”\ub97c \ucd9c\ub825\ud55c\ub2e4.<\/p>\n\n\n\n
\n\n\n\n\ud480\uc774<\/h2>\n\n\n\n
5\ubc88 \uc77d\uc5b4\ub4e4\uc5ec res\uc5d0 \ub354\ud55c \uac12\ub4e4\uc774 0x21DD09EC \uac12\uc774 \ub418\uc5b4\uc57c \ud55c\ub2e4.<\/p>\n\n\n\n
0x21DD09EC \uac12\uc744 \uc2ed\uc9c4\uc218\ub85c \ubcc0\ud658\ud558\uba74 568134124\uc774\ub2e4.
568134124\uc744 5\ubc88 \ub098\ub204\uba74, \ubaab\uc740 113626824\uc774 \ub418\uace0 \ub098\uba38\uc9c0\ub294 4\uac00 \ub41c\ub2e4.<\/p>\n\n\n\n
113626824\ub97c 16\uc9c4\uc218\ub85c \ubcc0\ud658\ud558\uba74 0x6C5CEC8\uc774 \ub418\uace0,
\ub530\ub77c\uc11c 0x6C5CEC8\ub97c 4\ubc88 \ub354\ud558\uace0, \ub098\uba38\uc9c0 4\ub97c \ub354\ud55c 0x6C5CECC\ub97c 1\ubc88 \ub354\ud558\uba74 0x21DD09EC\uc774 \ub41c\ub2e4.<\/p>\n\n\n\n
\n\nfrom pwn import *\n\ns = ssh('col', 'pwnable.kr', 2222, 'guest')\n\nargvs = [\".\/col\", (p32(0x6c5cec8)*4 + p32(0x6c5cecc))]\np = s.process(executable=\".\/col\", argv=argvs)\n\ndata = p.recvall()\nprint(data)\np.close()\ns.close()<\/pre>\n<\/div>\n<\/div>\n\n\n\n\n\nubuntu@docker:~\/CTF\/pwnable.kr\/collision$ python3 collision.py \n[+] Connecting to pwnable.kr on port 2222: Done\n[*] col@pwnable.kr:\n Distro Ubuntu 16.04\n OS: linux\n Arch: amd64\n Version: 4.4.179\n ASLR: Enabled\n[+] Starting remote process bytearray(b'.\/col') on pwnable.kr: pid 104973\n[+] Receiving all data: Done (52B)\n[*] Stopped remote process 'col' on pwnable.kr (pid 104973)\nb'daddy! I just managed to create a hash collision :)\\n'<\/pre>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"Daddy told me about cool MD5 hash collision today.I wanna do something like that too! ssh col@pwnable.kr -p2222 (pw:guest) \uc18c\uc2a4\ucf54\ub4dc hashcode \ubcc0\uc218\uc5d0 0x21DD09EC \uac12\uc774 \ub4e4\uc5b4\uc788\uace0, check_password \ud568\uc218\uc5d0\ub294 p \ubb38\uc790\uc5f4\uc744 \uac00\uc838\uc640 int \ud615\uc73c\ub85c \uac15\uc81c \ud615\ubcc0\ud658\uc2dc\ud0a8\ub2e4.int \ud615\uc2dd\uc758 \ud06c\uae30\ub294 4\ubc14\uc774\ud2b8\uc774\uae30\uc5d0, 4\ubc14\uc774\ud2b8\uc529 5\ubc88 \uc77d\uc5b4\ub4e4\uc5ec res\uc5d0 \ub354\ud558\uace0 \ubc18\ud658\ud55c\ub2e4. \uadf8\ub9ac\uace0 \uba54\uc778 \ud568\uc218\uc5d0\ub294 \uc778\uc790\uac00 \uc5c6\uc73c\uba74 usage\ub97c \ucd9c\ub825\ud558\uace0,1\ubc88\uc9f8 \uc778\uc790\uae38\uc774\uac00 20\uc774 \uc544\ub2c8\uba74 “passcode length… \ub354 \ubcf4\uae30 »collision<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[4],"tags":[25],"class_list":["post-544","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/544","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=544"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/544\/revisions"}],"predecessor-version":[{"id":545,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/544\/revisions\/545"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=544"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}