Description
The flaghasher binary runs with elevated privileges but only prints md5sum /root/flag.txt. Hijack the PATH so md5sum points to your own script that cats the flag.
Setup
SSH to shape-facility.picoctf.net -p 51426 (password 8d076785).
Confirm flaghasher is SUID-root and pull its strings to see what it shells out to.
Build a fake md5sum in your home directory and put . first in PATH so it wins the lookup.
ssh -p 51426 ctf-player@shape-facility.picoctf.netls -la flaghasherstrings flaghasher | grep -E 'md5sum|/bin/'echo '/bin/cat /root/flag.txt' > md5sum && chmod +x md5sumexport PATH=.:$PATH && ./flaghasherSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
strings, PATH, and SUID enumeration in depth.Step 1
Discover the helper callObservationI noticed the binary runs with SUID-root privileges but behaves like a wrapper around an external command, which suggested usingstringsto inspect what it calls and whether that call uses an absolute path or a bare name that PATH controls.strings flaghasherproduces hundreds of lines, so always pipe straight into grep rather than scrolling. The hit is/bin/bash -c 'md5sum /root/flag.txt'. The baremd5sum(no leading/) means Linux resolves it via PATH - so you control which binary runs.bashstrings flaghasher | grep md5sumbash# Output: /bin/bash -c 'md5sum /root/flag.txt'What didn't work first
Tried: Run
ltrace ./flaghasherorstrace ./flaghasherto see what system call it makes instead of using strings.ltrace and strace do show the execve call, but they run the binary in a traced mode that can suppress SUID privileges on many Linux kernels (ptrace attach is blocked for SUID binaries). You may see 'Permission denied' or an incomplete trace.
stringsis the right first step because it is purely static - it reads the ELF file without executing it - so SUID restrictions are irrelevant.Tried: Grep for an absolute path like
/usr/bin/md5sumin the strings output to confirm it uses the full path.The binary intentionally omits the leading path, so grepping for
/usr/bin/md5sumreturns nothing and can mislead you into thinkingmd5sumis not involved at all. The correct grep target is the bare namemd5sum(or a broader/bin/bash -cpattern), which reveals the unqualified invocation that makes PATH injection possible.Learn more
PATH injection (also called PATH hijacking) exploits the fact that Linux resolves command names by searching directories listed in the
PATHenvironment variable in order from left to right. When a program calls a command by name without specifying an absolute path (e.g.,md5suminstead of/usr/bin/md5sum), the OS finds whatever file namedmd5sumappears first in PATH.The
stringscommand is a first-line static analysis tool. Running it on any SUID binary quickly reveals hardcoded paths, system calls, and - as here - the exact shell command being executed. When that command uses an unqualified binary name (no leading/), PATH injection becomes viable. Real-world SUID binaries have historically been vulnerable to this in many Linux distributions.SUID (Set User ID) bits allow a binary to run with the permissions of its owner rather than the permissions of whoever executes it. A SUID binary owned by root runs as root regardless of which user launches it. This makes SUID binaries high-value targets for privilege escalation - any vulnerability in them potentially grants root access. Modern systems minimize SUID binaries and use capabilities or sudo policies instead.
Step 2
Drop in a fake md5sumObservationI noticed from thestringsoutput thatflaghashercallsmd5sumby bare name with no leading/, which suggested that prepending.to PATH would make Linux resolve our own script first and run it under root privileges.Write a one-linemd5sumthat cats the flag, chmod +x, prepend.to PATH, and verify PATH order before running flaghasher. Critically, the fake script must NOT call any program namedmd5sum(no/usr/bin/md5sum, no recursion fallback) or the hijacked PATH will resolve it back to your own script and infinite-loop. If you SSH out and back in, PATH resets - re-export it.bashecho '/bin/cat /root/flag.txt' > md5sumbashchmod +x md5sumbashexport PATH=.:$PATHbashecho $PATH | tr ':' '\n' | head -3 # verify '.' is firstbash./flaghasherExpected output
picoCTF{sy5teM_b!n@riEs_4r3_5c@red_0f_yoU_bfa4...}What didn't work first
Tried: Write the fake md5sum as
#!/bin/sh /usr/bin/md5sum /root/flag.txtso it falls back to the real md5sum to cat the flag.Calling
/usr/bin/md5suminside the fake script does not read the flag - it hashes it and prints the MD5 digest, not the plaintext content. The goal is to exfiltrate the flag contents, so the script must use/bin/cat /root/flag.txt. Using the real md5sum defeats the entire hijack by just reproducing the original behavior.Tried: Set PATH with
PATH=~:$PATH(home directory by tilde) instead ofPATH=.:$PATHto avoid typing the dot.Tilde expansion (
~) is performed by the shell before PATH is set, soPATH=~:$PATHcorrectly expands to your home directory path. However,./flaghashermust be run from the same directory where the fakemd5sumfile lives. If you are in a different directory than your home, the binary will not find your fake script even with the correct PATH prefix - the fake md5sum must be in the directory that is prepended.Learn more
Prepending
.(the current directory) to PATH is a classic privilege escalation technique. The current directory is never in PATH by default on modern Linux systems specifically because of this attack - if it were, any malicious executable in the current directory would shadow system commands. However, PATH can be freely modified in a shell session, so an attacker who controls PATH can plant fake commands anywhere in the search order.The fake
md5sumscript demonstrates the principle of command substitution: replacing a legitimate system utility with a malicious one. In real penetration testing, this technique is used to establish persistence (replacing cron-invoked scripts), escalate privileges (replacing commands called by SUID binaries), or intercept sensitive data (replacing commands likesshthat handle credentials).The correct fix is for
flaghasherto use the absolute path/usr/bin/md5suminstead of the bare namemd5sum, and to sanitize or reset the PATH environment variable before calling any external commands. This is documented in the POSIX specification and in secure coding guidelines from CERT, MITRE, and CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
Interactive tools
- Pwntools ForgeGenerate a complete pwntools exploit script from a template: ret2win, shellcode, ret2libc, ROP chain, format string, or blank scaffold. Fill the form, copy or download the .py file. Fully editable before saving.
- Hash IdentifierIdentify unknown hash types by length and prefix. Covers MD5, SHA-1, SHA-256, SHA-512, bcrypt, NTLM, and more.
- Checksum CalculatorCompute CRC32, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text or uploaded files. Verify against known hashes.
Flag
Reveal flag
picoCTF{sy5teM_b!n@riEs_4r3_5c@red_0f_yoU_bfa4...}
Classic PATH hijacking, so always check PATH order when privileged scripts invoke system tools.