Rating: 0

### Login Page

![](https://raw.githubusercontent.com/MikelAcker/CTF_WRITEUPS_2021/main/TMUCTF_2021_Writeup/Web/Login/info1.png)

### page's source code
```html
...
<form class="box" action="login.php" method="get">
<h1>Welcome to TMUCTF 2021</h1>
<h3>Just login and get the flag:</h3>
<input type="password" name="password" placeholder="Password">
<input type="submit" value="Login">
</form>
...
```
The password will be sent to `login.php` and it will be checked there.We don't know what `login.php` does.

But, there is *php code* in `/robots.txt`.

[http://185.235.41.189/robots.txt](http://185.235.41.189/robots.txt)

```php
if (isset($_GET["password"])) {
if (hash("md5", $_GET["password"]) == $_GET["password"]) {
echo "<h1>Here is the flag:</h1>" . $flag;
} else {
echo "Try harder!";
}
}
```

The *vulnerability* in this code is using **Loose Comparison** `==` instead of **Strict comparison** `===`.

In **php**,
- **Loose comparison** using `==` or `!=` : testing **value** of the variables. `'123' == 123 // true`
- **Strict comparison** using `===` or `!==` : testing **both type and value** of the variables. `'123' === 123 // false`

**Php Loose Comparison** also returns *true* if both strings are scientific number.
```
'0e123' == '0' // true
```

In this challenge, we have to give a string which **MD5** hash is the same string as itself.But because of using **Loose Comparison** we can just give a string which hash is like `0e + some digits`.

We can find that kind of strings in [here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.md#magic-hashes---exploit).

Let's use `0e1137126905`.

[http://185.235.41.189/login.php?password=0e1137126905](http://185.235.41.189/login.php?password=0e1137126905)

![](https://raw.githubusercontent.com/MikelAcker/CTF_WRITEUPS_2021/main/TMUCTF_2021_Writeup/Web/Login/info2.png)

And, we get the flag!

*flag*:`TMUCTF{D0_y0u_kn0w_7h3_d1ff3r3nc3_b37w33n_L0053_c0mp4r150n_4nd_57r1c7_c0mp4r150n_1n_PHP!?}`

Original writeup (https://github.com/MikelAcker/CTF_WRITEUPS_2021/tree/main/TMUCTF_2021_Writeup/Web/Login).