PicoCTF 2025 Binary Exploitation—hash-only-2 Writeup
Welcome back to another writeup! In this post, I’ll walk you through how I solved the hash-only-2 challenge from picoCTF 2025, which builds upon concepts introduced in hash-only-1 and also falls under the binary exploitation category.
As with the previous challenge, hash-only-1, we’re once again provided with SSH credentials. After successfully logging into the remote machine, the first step I took was to list the files in the current working directory to get an overview of what we’re working with.
However, there doesn't seem to be anything visible in the current directory. Based on the challenge description, it appears that we’re supposed to work with a binary called filehasher, but the question is, where exactly is it located?
To locate the flaghasher binary, I used the find command starting from the root directory. It eventually revealed the location of the file, but something unusual caught my attention during the process.
find / -type f -name “flaghasher” 2>/dev/null
This is the output
Even after redirecting errors using 2>/dev/null, I noticed that the errors are still showing up, which seemed odd. That’s when I realized the shell we’re operating in is rbash, or Restricted Bash. rbash is a limited version of the Bash shell designed to restrict user actions for security purposes. It prevents users from performing certain operations such as changing directories with cd, modifying the PATH environment variable, redirecting output in some cases, or running commands from absolute or relative paths that aren't whitelisted.
To overcome this limitation, we need to switch from the restricted shell (rbash) to a standard Bash shell. Doing so will lift the restrictions imposed by rbash, allowing us to execute commands more freely, such as changing directories, setting environment variables, using output redirection, and running custom binaries or scripts.
Just type bash to spawn bash shell
Now let's execute our find command again
Since it's in /usr/local/bin , we can use it as a command already
Just like in hash-only-1, I was curious whether the same approach would be effective here as well, so I decided to give it a try and follow a similar procedure and IT WORKS!!
Hash-only-2 introduced an additional challenge by using rbash, a restricted shell, which we needed to bypass first before being able to apply the same exploit method as before.
Last updated