Looking at the page let us quickly find a .git folder that we simply cloned.

We got several files, one of them premium.php was the one that prints the flag, after validate(...) in validate_pass.php returned true.

Even though that timing attacks were possible (see here for an example) it was way simpler.

The critical code is

$query = "SELECT hash FROM users WHERE username='$user';";
$result = mysql_query($query) or die('Query failed: ' . mysql_error());
$line = mysql_fetch_row($result, MYSQL_ASSOC);
$hash = $line['hash'];
if (strlen($pass) != strlen($hash))
    return False;
$index = 0;
    if ($pass[$index] != $hash[$index])
        return false;
    # Protect against brute force attacks
return true;

Instead of using a SQL injection earlier to get the username ~~FLAG~~ and try to get the password byte by byte, we simply use a non-existing username and an empty password.

A non-existing username will result in an empty $line variable, so $hash will be an empty string as well as $pass. This was the strlen() check matches but the while-loop will never run (there is simply nothing to loop over) and the function will return true, effectively solving this.

Flag: flag{gr0wth__h4ck!nG!1!1! (the } was missing, you need to append before submitting the flag)