defund’s a true MD5 fan, and he has a site to prove it.

The website says that we need to give two different strings whose md5 hashes after prepended by the server’s secret salt are the same. It also shares the source code with us.

At first, I checked whether they used strict or loose comparasion. However, since their comparasions are strict, I started to search for other things. Then, I decided to try sending arrays instead of strings.

First, let me show you what exactly happens when you try to concatenate an array with a string.

It just acts as if it was just the string “Array”. Therefore, we can get the same string with two different arrays and bypass the equality check.

Let’s send two different arrays non-empty arrays to try to get our flag.

Here is the flag actf{but_md5_has_charm}.