I did not solve this challenge during the CTF.

`strncmp()` compares the md5 values in raw bytes instead of hex strings.
The third byte of the md5 value being compared with is a NULL byte, and `strncmp()` stops at NULL bytes, which means we can make an easy md5 collision.