PicoCTF 2025 Binary Exploitation—hash-only-1 Writeup
Welcome back to another writeup! In this post, I’ll walk you through how I solved the hash-only-1 challenge from picoCTF 2025, which falls under the binary exploitation category. This challenge involved analyzing a compiled binary, identifying vulnerabilities, and crafting a precise input to manipulate the program’s behavior and achieve the desired outcome. I’ll explain my thought process, the tools I used, and the step-by-step approach I took to exploit the binary and ultimately retrieve the flag. Whether you're new to binary exploitation or looking to sharpen your skills, this breakdown should give you a clear insight into how the challenge was approached and solved. Let's dive in!
We are given an SSH credentials for this challenge, after logging in, the first thing I did is to list the files in my current directory
There's a file named flaghasher , what kind of file is it?
Looks like this is an ELF-compiled binary, let’s go ahead and run it!
The purpose of the flaghasher binary is to read the contents of the file located at /root/flag.txt, compute its MD5 hash, and then display the resulting hash value. Instead of printing the actual flag, it only reveals the hash of the flag file, which adds an extra layer of difficulty. To retrieve the original flag, we’ll need to find a way to reverse or bypass this mechanism—since MD5 is a one-way hashing function, this challenge likely involves exploiting the binary itself to gain direct access to the flag or to intercept the file contents before they're hashed.
Flag Retrieval
One idea that immediately comes to my mind is to create a custom version of the md5sum command. If the binary is executing an external program like md5sum to compute the hash, it may be depending on the PATH environment variable to locate that command. This opens up a potential avenue for exploitation: by crafting our own malicious md5sum script and placing it in a directory that appears earlier in the PATH, we might be able to trick the binary into executing our version instead of the real system utility. This technique leverages how Linux resolves executable paths and can be a powerful way to hijack behavior when a program blindly trusts the environment it runs in.
echo -e '#!/bin/bash\ncat /root/flag.txt' > /tmp/md5sum
This command will create a fake md5sum script in the /tmp directory that, instead of performing a hash operation, simply prints the contents of /root/flag.txt.
Now let's make it executable.
chmod +x /tmp/md5sum
Next, we will place the /tmp directory at the beginning of the system’s executable search path, ensuring that our fake md5sum is found and executed before the real one.
export PATH=/tmp:$PATH
Now let's execute the flaghasher once again.
./flaghasher
This is the output
This type of attack is known as PATH hijacking and is commonly used when binaries unsafely rely on external commands.^^
Last updated