Flaw in source code of a web application will allow you retrieve the flag from https://10.XX.32.95:1005/.
It prints the flag when MD5 hash of input data is considered equal to the data itself.
What is the flag printed by the application?
Webpage asks to find a text string, where MD5 digest is equal to itself.
Looking at source, there is a hint that source.txt
is available.
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Juggler</title>
<link href="css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="js/bootstrap.min.js"></script>
<script src="js/jquery.min.js"></script>
<link href="css/style.css">
</head>
<body>
<div class="container"><br><br>
<div class="title h2">Find a text string where MD5 digest equal to itself!</div><hr>
<form id="form" class="form" action="/index.php" method="POST">
<div class="form-group">
<input type="text" name="md5" class="form-control" placeholder="Text string goes here" required>
</div>
<div class="form-froup">
<input type="submit" name="submit" class="btn btn-success btn-md col-md-12 pull-right" value="Compare">
</div>
</form><!--<a href="source.txt">Source</a>-->
</div>
</body>
</html>
Looking source.txt
reveals exactly the same what is asked in webpage, - return flag only when md5 of provided text is equal to itself.
<?php
if (isset($_POST['md5']))
{
$md5=$_POST['md5'];
if ($md5==md5($md5))
echo "dedacted content of a flag";
else
echo "<br><div class=\"h3\"><center><span style=\"color:red\">Sorry, '",htmlspecialchars($md5),"' not the same as ",md5($md5)."</span></center></div>";
}
?>
This challenge explores well-known PHP issue - type juggling and magic hashes.
Using one of provided examples, e.g., 0e215962017
, flag is retrieved.
Flag: 9e0cd0bd-5e15-4934-85a5-65a6e52ca90e