You have part of the source to a really bad hash function, and an oracle that will hash anything up to 32 bytes. Hash the following string.

the flag the flag the flag the flag the flag the flag the flag the game

(71 bytes — sorry, the oracle will not hash it for you)

You may access the oracle at http://problems1.2016q1.sctf.io:17117/. The oracle accepts a base64-encoded input passed via the query string. You can interface with the oracle using your browser (e.g. http://problems1.2016q1.sctf.io:17117/?dGhlIGZsYWc=), cURL, or anything you want, really.

$ hash() { curl 'http://problems1.2016q1.sctf.io:17117/?'\"$(echo -n $1 | base64)\"; }
$ hash 'the flag'
d0d27218a363a192