What? Writeup - BCACTF 6.0
My writeup for the Web/What? challenge in BCACTF 6.0
Web/What? - Thomas Raskin
Surmount the insurmountable. http://challs.bcactf.com:47861
Initial Thoughts
We are given a website that asks you to input two strings, and then compares their hashes. We are also given a what.php, a script that determines the conditions you must meet to get the flag.
Methodology
This is the full php script:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$str1 = $_POST['string1'] ?? '';
$str2 = $_POST['string2'] ?? '';
$hash1 = md5($str1);
$hash2 = md5($str2);
if ($str1 == $str2 || strlen($str1) > 100 || strlen($str2) > 100 ||
strlen($str1) < 5 || strlen($str2) < 5) {
echo "No\n";
exit;
} else if ($hash1 == $hash2) {
echo file_get_contents("flag.txt");
exit;
}
}
?>
Let’s break it down further:
1
2
3
4
if ($str1 == $str2 || strlen($str1) > 100 || strlen($str2) > 100 ||
strlen($str1) < 5 || strlen($str2) < 5) {
echo "No\n";
exit;
If string 1 and string 2 are equal, or either of them are longer than 100 characters or shorter than 5 characters, it won’t return the flag.
1
2
3
} else if ($hash1 == $hash2) {
echo file_get_contents("flag.txt");
exit;
If the MD5 hash of string 1 is equal to the hash of string 2, then it will print the flag.
Two strings who have the same hash but are different are known as hash collisions. On the MD5 Wikipedia Page, the following hash collision is listed:
However, this collision won’t work, as both the strings are longer than 100 characters.
On Twitter, I find this MD5 hash collision:
Submitting those two hashes into the form passes all checks, and gets us our flag.
Solution
The flag is bcactf{wh0_kn0ws_4nym0r3_11fab08d769a}. This challenge explored a very interesting phenomenon. It was cool to learn about hash collisions.