NISRA - MD5_1

Posted on 2023-03-07 | Post modified | In Security/Practice/NISRA/Web |

NISRA - MD5_1

tags: `NISRA` `CTF` `Web`

Challenge: MD5_1

Source code

 <?php
    highlight_file(__FILE__);
    $FROM_INCLUDE = true;
    include("flag.php");
    $msg = "";
    if (isset($_GET['user']) && isset($_GET['password'])) {
        $user = $_GET['user'];
        $password = $_GET['password'];
        $check = "QNKCDZO";
        // the md5 of "QNKCDZO" is 0e830400451993494058024219903391

        if ($user == "admin" && $password != $check && md5($password) == md5($check)) {
            $msg = "Flag: ".$flag;
        } else {
            $msg = "Keep trying!";
        }
    }

    echo $msg;
?>

Exploit - MD5 Collision

Payload: http://chall2.nisra.net:41022/?user=admin&password=240610708 :::spoiler flag Flag: NISRA{PhP_is_th3_BeST_laNgUA9E} :::

Reference

md5(‘240610708’) == md5(‘QNKCDZO’)

Post author: SBK6401
Post link: https://bernie6401.github.io/security/practice/nisra/web/2023/03/07/NISRA-MD5_1/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.