Learning points from this challenge:
MD5 HAS ITS WEAKNESS!!!
MD5 hash is meant to detect any changes in files. When a file has been edited, its MD5 hash should be different from the original. However, there are certain bytes in the file structure that can be altered with no change to the MD5 hash!!!
Objective 11A:
With a history of the current numbers, predict the next 4 numbers
Broadview of solution:
1) Parse the block chain and read the list of numbers from the block chain
2) Use the mersenne-twister-predictor to predict the next 4 numbers
Lets get to work on (1)!
A. Finding the total number of blocks = 1548 (129996–128449=1547, inclusive = 1548)
- Start of block chain:
- End of block chain:
B. Get the random values (nonce) from all the blocks. Ensure block.dat is in the same folder before running script.
- Code from editing the given naughty_nice.py script:
C. The nonce will be printed in the shell. Move it to notepad++ and do a replace. Take note of the search mode.
- This replaces each line break to a “,”
Thats all for (1), now to (2)!!!
D. Now add the line of numbers to the seedArray variable seen from the code below.
E. Modifying the script from https://github.com/kmyk/mersenne-twister-predictor:
- This time we change the predictor to use 64 bits instead and add the values into the seed array.
- In the while loop, let the predictor read the values.
- Using the predictor, ask for the next 4 values to get the 13000th block.
F. After running the script:
- The 4th nonce is the 130000 block we are interested in.
- Convert it to hex and you get the answer!
Objective 11B:
1) Understanding the security weakness of MD5 hash
2) Modifying and recreating a file with the same MD5 hash
Broadview of solution:
1) Identify the altered block by printing out all the scores of the block
2) Restore the block by modifying 4 bytes yet keeping the same MD5 hash as the original
Lets get to work on 1!
A. Jack Frost block has the largest and out of the range score of “4294967295”
B. Printing all the scores, we see an unusual score at in index 1010
C. Save the block and do a SHA hash check on the block to check if it matches the block in question
D. Details of the block:
Now to 2!
E. Necessary readups before doing:
Look at their sample pdfs and check where the bit difference is
Especially after slide 194
F. First 2 bytes is in the PDF file format structure
(Left = altered, right = original file, blue line shows where change is)
MD5 HASH OF BOTH FILES ARE THE SAME!!!!!!!!!!
G. Next 2 bytes is in the naughty/nice sign of the score
(Left = altered, right = original file, blue line show where change is)
H. Do a MD5 check of the altered file, there should be no difference with the original
I. Solution = SHA256 of the altered file!!!
Next blog post things
Either about the Pwn challenge, Phoenix by Andrew Griffith or about BambooCTF! Stay tuned!
