Rating: 0
### Login Page
### page's source code
```html
...
<form class="box" action="login.php" method="get">
<h1>Welcome to TMUCTF 2021</h1>
<h3>Just login and get the flag:</h3>
<input type="password" name="password" placeholder="Password">
<input type="submit" value="Login">
</form>
...
```
The password will be sent to `login.php` and it will be checked there.We don't know what `login.php` does.
But, there is *php code* in `/robots.txt`.
[http://185.235.41.189/robots.txt](http://185.235.41.189/robots.txt)
```php
if (isset($_GET["password"])) {
if (hash("md5", $_GET["password"]) == $_GET["password"]) {
echo "<h1>Here is the flag:</h1>" . $flag;
} else {
echo "Try harder!";
}
}
```
The *vulnerability* in this code is using **Loose Comparison** `==` instead of **Strict comparison** `===`.
In **php**,
- **Loose comparison** using `==` or `!=` : testing **value** of the variables. `'123' == 123 // true`
- **Strict comparison** using `===` or `!==` : testing **both type and value** of the variables. `'123' === 123 // false`
**Php Loose Comparison** also returns *true* if both strings are scientific number.
```
'0e123' == '0' // true
```
In this challenge, we have to give a string which **MD5** hash is the same string as itself.But because of using **Loose Comparison** we can just give a string which hash is like `0e + some digits`.
We can find that kind of strings in [here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.md#magic-hashes---exploit).
Let's use `0e1137126905`.
[http://185.235.41.189/login.php?password=0e1137126905](http://185.235.41.189/login.php?password=0e1137126905)
And, we get the flag!
*flag*:`TMUCTF{D0_y0u_kn0w_7h3_d1ff3r3nc3_b37w33n_L0053_c0mp4r150n_4nd_57r1c7_c0mp4r150n_1n_PHP!?}`
