Description
Upload two PDFs that have the same MD5 hash. The server will verify both files are different and share the same MD5, then display the flag.
Setup
Download the two pre-crafted MD5-colliding PDF files. These were generated using the Shattered/unicoll attack.
wget https://mercury.picoctf.net/static/.../md5-collision-1.pdfwget https://mercury.picoctf.net/static/.../md5-collision-2.pdfmd5sum md5-collision-1.pdf md5-collision-2.pdfSolution
Walk me through it- Step 1Verify the MD5 collisionRun md5sum on both PDFs to confirm they produce the same hash. Then confirm the files are different using sha256sum or diff.bash
md5sum md5-collision-1.pdf md5-collision-2.pdfbashsha256sum md5-collision-1.pdf md5-collision-2.pdfbashdiff md5-collision-1.pdf md5-collision-2.pdf && echo 'same' || echo 'different'Learn more
MD5 collision attacks produce two different inputs that hash to the same MD5 digest. MD5 produces a 128-bit (16-byte) output, and while brute-forcing a collision would require around 2^64 attempts (birthday paradox), the actual MD5 collision attacks are far faster due to cryptographic weaknesses in MD5's compression function.
The SHAttered attack (2017) demonstrated practical SHA-1 collisions. For MD5, chosen-prefix collision attacks have been practical since 2004 (Xiaoyun Wang's attack) and can run in minutes on modern hardware. The HashClash tool and Marc Stevens' fastcoll can generate MD5 collisions in seconds.
These collisions are particularly dangerous for digital signatures: a malicious actor could get a trusted certificate authority to sign a benign document (with a known MD5), then swap in a malicious document with the same MD5. The signature would be valid for the malicious document. This is why MD5 and SHA-1 are considered cryptographically broken for security purposes.
- Step 2Upload both PDFs to the challenge serverSubmit both PDFs through the upload form. The server treats both as valid because their MD5 digests match - successful collision means same hash, different content, both accepted as legitimate uploads.
Learn more
What "successful collision" means here. The server's gate is:
file1 != file2 AND md5(file1) == md5(file2). The two PDFs differ at byte level (diffshows differences,sha256sumshows different SHA-256 hashes) but produce the same 128-bit MD5 digest. Because the server only checks MD5, both uploads are treated as valid distinct documents.The challenge mirrors a real-world attack scenario: a system using MD5 to verify file integrity can be fooled by crafted collision pairs. Any system that relies on MD5 for security (not just deduplication) is fundamentally broken. Modern systems should use SHA-256 or SHA-3 for integrity verification.
Generating chosen-prefix collisions yourself. Marc Stevens' hashclash implements both identical-prefix collisions (
fastcoll: same prefix, different 64-byte collision blocks) and chosen-prefix collisions (lets you pick two arbitrary prefixes that hash to the same digest). Quick start:# Identical-prefix (seconds) ./scripts/poc_no.sh # Chosen-prefix (hours, runs on GPU) ./scripts/cpc.sh prefix1 prefix2The chosen-prefix mode is the powerful one: it's how the 2008 rogue-CA attack and the 2012 Flame malware worked - take two genuinely different documents and append crafted padding so they collide.
Flag
picoCTF{...}
MD5 is cryptographically broken - practical collision attacks can produce two different files with identical MD5 hashes, undermining any security system that relies on MD5 for integrity checking.