This challenge was solved and the write up was written by one of my teammates, hege and me
Steps to solve this challenge:
- Find robots.txt: http://impossible.asis-ctf.ir/robots.txt and the backup folder
- Download the backup: http://impossible.asis-ctf.ir/backup/1444419635.tar.gz
- Understand the source code and search for security vulnerabilities in it
- Find the fishy md5() == comparison
- Process the user data and search for vulnerable username
- Find
- Find an other MD5 “collision” (as a lot of already known collision found on the web are “already used”)
- Our collision was:
- Register a new user with this username (“D8WKOXN880XR”)
- The get_user function will match adm2salwg’s user info instead of our new user’s thus leaking out adm2salwg’s password:
1W@ewes$%rq0
- Login with
adm2salwg
/1W@ewes$%rq0
- Profit: