Let’s start another challenge from pwnable.kr called collision, which is next one in Toddler’s Bottle category.

Once again we have to connect via ssh in order to view challenge files.

And without hesitation, let’s jump straight into the code.

Firstly int* ip = (int*)p; will cast the char, passed as the parameter into the check_password function. In addition we know that the passcode has to be 20 bytes. After doing simple mathematics, our input will have to consist of 5 integers, as the size of int is 4 bytes. What next?

Function will return the sum of these 5 integers, which is calculated by the loop. Back in the main function, this sum is checked for length, then compared with hash and if the answer is correct, it will view the flag for us.

Let’s convert hash into the decimal number.

Great, now we can divide it into 5 pieces. But as the number is not divisible by 5, we’ll have to use floor division which will truncate numbers after decimal point.

Now let’s use these 4 pieces. We will substract them from the original hash, which will result in our fifth piece.

Will it be true? We can check it with simple comparision operation.

Great, our math worked out! Now we will only have to convert these hex values into little endian, as that’s how C stores integers. After that we’re ready to exploit this application.