picoCTF Solutions
picoCTF 2025Binary ExploitationMedium

hash-only-1

Published: April 2, 2025

Description

The flaghasher binary runs with elevated privileges but only prints `md5sum /root/flag.txt`. Hijack the PATH so md5sum points to your own script that cats the flag.

Setup

SSH to shape-facility.picoctf.net -p 51426 (password 8d076785) and inspect `flaghasher`.

Copy the binary locally if desired, but you can exploit it directly on the remote host.

ssh -p 51426 ctf-player@shape-facility.picoctf.net
echo "/bin/cat /root/flag.txt" > md5sum && chmod +x md5sum
export PATH=.:$PATH && ./flaghasher

Solution

  1. Step 1Discover the helper call
    strings flaghasher reveals `/bin/bash -c 'md5sum /root/flag.txt'`. Because md5sum is resolved via PATH, you can substitute your own executable.
    Learn more

    PATH injection (also called PATH hijacking) exploits the fact that Linux resolves command names by searching directories listed in the PATH environment variable in order from left to right. When a program calls a command by name without specifying an absolute path (e.g., md5sum instead of /usr/bin/md5sum), the OS finds whatever file named md5sum appears first in PATH.

    The strings command is a first-line static analysis tool. Running it on any SUID binary quickly reveals hardcoded paths, system calls, and - as here - the exact shell command being executed. When that command uses an unqualified binary name (no leading /), PATH injection becomes viable. Real-world SUID binaries have historically been vulnerable to this in many Linux distributions.

    SUID (Set User ID) bits allow a binary to run with the permissions of its owner rather than the permissions of whoever executes it. A SUID binary owned by root runs as root regardless of which user launches it. This makes SUID binaries high-value targets for privilege escalation - any vulnerability in them potentially grants root access. Modern systems minimize SUID binaries and use capabilities or sudo policies instead.

  2. Step 2Drop in a fake md5sum
    Create a script named md5sum that simply calls `/bin/cat /root/flag.txt`, mark it executable, and `export PATH=.:$PATH`. Running flaghasher now prints the flag instead of a hash.
    Learn more

    Prepending . (the current directory) to PATH is a classic privilege escalation technique. The current directory is never in PATH by default on modern Linux systems specifically because of this attack - if it were, any malicious executable in the current directory would shadow system commands. However, PATH can be freely modified in a shell session, so an attacker who controls PATH can plant fake commands anywhere in the search order.

    The fake md5sum script demonstrates the principle of command substitution: replacing a legitimate system utility with a malicious one. In real penetration testing, this technique is used to establish persistence (replacing cron-invoked scripts), escalate privileges (replacing commands called by SUID binaries), or intercept sensitive data (replacing commands like ssh that handle credentials).

    The correct fix is for flaghasher to use the absolute path /usr/bin/md5sum instead of the bare name md5sum, and to sanitize or reset the PATH environment variable before calling any external commands. This is documented in the POSIX specification and in secure coding guidelines from CERT, MITRE, and CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

Flag

picoCTF{sy5teM_b!n@riEs_4r3_5c@red_0f_yoU_bfa4...}

Classic PATH hijacking, so always check PATH order when privileged scripts invoke system tools.

Want more picoCTF 2025 writeups?

Browse picoCTF 2025Full library

Useful tools for Binary Exploitation

Related reading

What to try next