Rating: 3.7
> Navigating to the address shows us a login page requesting a password.
> View page source, we can see that the page uses php.
```html
<link rel="stylesheet" type="text/css" href="style.css">
<title>Login Page</title>
<form class="box" action="login.php" method="get">
<h1>Welcome to TMUCTF 2021</h1>
<h3>Just login and get the flag:</h3>
<input type="password" name="password" placeholder="Password">
<input type="submit" value="Login" />
</form>
```
> Navigate to /robots.txt
```txt
if (isset($_GET["password"])) {
if (hash("md5", $_GET["password"]) == $_GET["password"]) {
echo "<h1>Here is the flag:</h1>" . $flag;
} else {
echo "Try harder!";
}
}
```
> The approach to this challenge is adapted from a similar challenge from another CTF shown in [this writeup](https://ctftime.org/writeup/12065).
> Here, we see a vulnerability. The comparison in the if condition is done with `==` instead of `===`. This mean that the comparison returns true also if both strings are scientific number, so we just need to find a string which hash is like: `0e + some digits`.
> The following is a python script taken [here](https://github.com/bl4de/ctf/blob/master/2017/HackDatKiwi_CTF_2017/md5games1/md5games1.md), which uses bruteforce to give us the required string: `0e215962017`
```python
#!/usr/bin/env python
import hashlib
import re
prefix = '0e'
def breakit():
iters = 0
while 1:
s = prefix + str(iters)
hashed_s = hashlib.md5(s).hexdigest()
iters = iters + 1
r = re.match('^0e[0-9]{30}', hashed_s)
if r:
print "[+] found! md5( {} ) ---> {}".format(s, hashed_s)
print "[+] in {} iterations".format(iters)
exit(0)
if iters % 1000000 == 0:
print "[+] current value: {} {} iterations, continue...".format(s, iters)
breakit()
```
> Entering the string as the password gave us the flag since the statement `if (hash("md5", $_GET["password"]) == $_GET["password"])` will equate to true.
`TMUCTF{D0_y0u_kn0w_7h3_d1ff3r3nc3_b37w33n_L0053_c0mp4r150n_4nd_57r1c7_c0mp4r150n_1n_PHP!?}`
