Daddy told me about cool MD5 hash collision today.
I wanna do something like that too!

ssh col@pwnable.kr -p2222 (pw:guest)

As the setgid of col_pwn on col, we can utilize it.

#include <stdio.h>
#include <string.h>

unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
        int* ip = (int*)p;
        int i;
        int res=0;
        for(i=0; i<5; i++){
                res += ip[i];
        }
        return res;
}

int main(int argc, char* argv[]){
        if(argc<2){
                printf("usage : %s [passcode]\n", argv[0]);
                return 0;
        }
        if(strlen(argv[1]) != 20){
                printf("passcode length should be 20 bytes\n");
                return 0;
        }

        if(hashcode == check_password( argv[1] )){
                system("/bin/cat flag");
                return 0;
        }
        else
                printf("wrong passcode.\n");
        return 0;
}
col.c

A simple challenge based on functions.

Note: in these kind of challenges, it may be convenient to just reverse the function and follow it up.

From main, we can find out that the flag will be printed if the first parameter which went through check_password equals hashcode.

The check_password function changes the accepted parameter from char to int, and it adds the parameter itself to res for 5 times, which should equal the hashcode.

So, let’s go through the function backwards.

0x21DD09EC/5 = 6C5CEC8

However, multiplying 5 again to the output doesn’t equal the hashcode; 4 bytes are lost.

Again add the lost 4 byte:

Pwned!