pwnable.kr - collision
Daddy told me about cool MD5 hash collision today.
I wanna do something like that too!
ssh email@example.com -p2222 (pw:guest)
As the setgid of col_pwn on col, we can utilize it.
A simple challenge based on functions.
Note: in these kind of challenges, it may be convenient to just reverse the function and follow it up.
From main, we can find out that the flag will be printed if the first parameter which went through check_password equals hashcode.
The check_password function changes the accepted parameter from char to int, and it adds the parameter itself to res for 5 times, which should equal the hashcode.
So, let’s go through the function backwards.
0x21DD09EC/5 = 6C5CEC8
However, multiplying 5 again to the output doesn’t equal the hashcode; 4 bytes are lost.
Again add the lost 4 byte: