🐶 When Hearts Collide – TryHackMe Walkthrough

 


🐶 When Hearts Collide – TryHackMe Walkthrough

🧩 Room Details

  • Platform: TryHackMe

  • Room Name: When Hearts Collide

  • Category: Web

  • Difficulty: Medium

  • Target URL: http://MACHINE_IP

📖 Scenario Overview

The “Matchmaker” web application claims to pair you with your perfect dog using MD5 hash comparisons.

The process:

  1. Upload your photo

  2. The system generates an MD5 hash

  3. It compares your hash with stored dog hashes

  4. If there’s a match — you find your “true dog”

Sounds fun… but from a security perspective, this raises immediate red flags.

🎯 Objective

  • Analyze how the MD5 comparison works

  • Identify weaknesses in the hash-based logic

  • Manipulate the hashing process

  • Trigger the correct match

  • Capture the flag

🔎 Initial Analysis

Once the application loads:

  • You are prompted to upload an image.

  • The server calculates an MD5 hash.

  • The hash is compared against pre-existing values.

Clue from the room title:

“Will you find your MD5 match?”

This strongly suggests a hash-based vulnerability.

⚠ Vulnerability Identified – MD5 Weakness

MD5 is:

  • Fast

  • Deterministic

  • Cryptographically broken

  • Vulnerable to collisions

Why This Matters

MD5 collisions allow two different inputs to produce the same hash.

If the application trusts the hash instead of validating the original file securely, it can be tricked into thinking:

“This uploaded image matches one of our curated dogs!”

Even though it doesn’t.

🛠 Exploitation Overview (High-Level)

The exploitation strategy involved:

  1. Observing how the application generates and checks MD5 hashes.

  2. Identifying that the comparison relies solely on hash equality.

  3. Crafting or finding input that produces the required MD5 value.

  4. Uploading the manipulated file.

  5. Triggering the correct match logic.

Because MD5 is weak and predictable, this bypass becomes possible.

🏁 Final Flag

THM{hash_puppies_4_all}

📚 Key Learning Points

  • MD5 should never be used for secure validation.

  • Hash comparison alone is not sufficient for authentication.

  • Collision attacks are real and practical.

  • Legacy hashing algorithms create serious security risks.

  • Always verify content integrity using secure cryptographic standards.

🛡 Defensive Recommendations

If you're building secure systems:

  • Avoid MD5 entirely.

  • Use SHA-256 or stronger algorithms.

  • Combine hashing with server-side validation.

  • Never rely solely on client-controlled file uploads.

  • Implement content verification beyond simple hash matching.

💡 Why This Room Is Valuable

This challenge demonstrates:

  • Practical weaknesses in outdated cryptography

  • How hash-based logic can be abused

  • Real-world risks of legacy security implementations

It’s excellent practice for:

  • Web security learners

  • Penetration testing beginners

  • Cybersecurity students

  • Bug bounty enthusiasts

Comments

Post a Comment

Popular Posts