When Hearts Collide (TryHackMe) - MD5 Collision
When Hearts Collide is a TryHackMe challenge that presents itself as a playful dog-matching service powered by MD5 hash comparison. The challenge description immediately hints at the vulnerability: "The algorithm is completely transparent" and emphasizes MD5 fingerprint matching as the core mechanism.
The premise is simple - upload a photo, and if its MD5 hash matches one of the "curated pups" in the database, you've found your match. However, the security implication is profound: the application relies on MD5, a cryptographically broken hash function vulnerable to collision attacks.
This write-up documents the reconnaissance phase, multiple failed exploitation attempts, and ultimately, the successful MD5 collision attack that revealed the flag.
My Dearest Hacker,
Matchmaker is a playful, hash-powered experience that pairs you with your ideal dog by comparing MD5 fingerprints. Upload a photo, let the hash chemistry do its thing, and watch the site reveal whether your vibe already matches one of our curated pups. The algorithm is completely transparent, making every match feel like a wink from fate instead of random swipes.
Come get your dog today!
You can access the web app here:
http://MACHINE_IP
Key Vulnerability: MD5 Collision
Primary Tools: FastColl, nmap, gobuster, curl
nmap -sV -p- <IP_Address>
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-15 09:15 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for <IP_Address>
Host is up (0.00011s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.97 seconds
gobuster dir -u http://<IP_Address> -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://<IP_Address>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/static (Status: 301) [Size: 162] [--> http://<IP_Address>/static/]
/upload (Status: 405) [Size: 153]
Progress: 18456 / 18460 (99.98%)
===============================================================
Finished
===============================================================
Looking around the site, there was an image upload feature. I tried uploading different images, LFI, Path Traversal, Brute forcing common words, and using different images to try generate images that would match, also using the error messages to get a better script with the help of Claude, and eventually the script below was of help. One of the generated images matched with the site's dog database, and I found the flag.
https://gist.github.com/jebitok-dev/95f6fac2d647b8ca8ed72205b9d67610
md5sum md5_data
6176e3f017db666333250d836aed7a0b
Uploading one of the images, the dog match marker found a match in their database, and the flag was revealed on the site.
🎯 Conclusion
The Winning Exploit: MD5 Collision Attack
After exhausting traditional web exploitation vectors (LFI, path traversal, directory brute-forcing), the solution lay in the challenge's explicit hint about MD5 hashing. The breakthrough came from leveraging FastColl, a tool that generates MD5 collision pairs - two different files that produce identical MD5 hashes.
The Attack Flow:
Generated collision files using FastColl:
md5_data1andmd5_data2Both files shared the same MD5 hash:
6176e3f017db666333250d836aed7a0bUploaded
md5_data1to the Matchmaker applicationThe application's hash-matching algorithm identified a match with a pre-seeded dog profile
The match page revealed the flag:
THM{hash_puppies_4_all}
Key Takeaways
1. MD5 is Cryptographically Broken
MD5 collisions can be generated in seconds using tools like FastColl or HashClash
Applications should never rely on MD5 for security-critical operations
Modern alternatives include SHA-256, SHA-3, or BLAKE2
2. Hints Matter
The challenge explicitly mentioned "MD5" and "transparent algorithm"
Recognizing these hints early would have saved time on unsuccessful attack vectors
CTF challenges often telegraph their intended solution
3. Persistence Pays Off
Initial approaches (LFI, path traversal, brute-forcing) all failed
Success required pivoting to a completely different attack vector
Understanding when to abandon an approach is as important as trying it
4. Real-World Impact
While this was a CTF, MD5 collision vulnerabilities exist in production systems
File integrity checking, digital signatures, and authentication systems using MD5 are all vulnerable
The 2008 Flame malware famously used MD5 collisions to forge Microsoft code-signing certificates
OWASP Mapping
A02:2021 - Cryptographic Failures: Using MD5 for security-sensitive operations
CWE-328: Use of Weak Hash
Remediation
If building a similar application, developers should:
Use SHA-256 or stronger cryptographic hash functions
Implement proper file validation beyond hash comparison
Add rate limiting on upload endpoints
Consider adding digital signatures for file integrity verification
