picoCTF Solutions
picoCTF 2023General SkillsMedium

Permissions picoCTF 2023 Solution

Published: April 26, 2023

Description

SSH into the target host and enumerate /root-owned challenge files. Proper directory traversal and permissions understanding lead straight to the flag.

Setup

SSH to saturn.picoctf.net on port 54578 with the provided password.

Run pwd so you know where you landed, then walk up to / and into challenge/. The flag file is /root-owned but world-readable, so no privilege escalation is needed; you just have to find it.

bash
ssh -p 54578 picoplayer@saturn.picoctf.net
bash
Sd9KYTm5kr
bash
pwd
bash
cd / && cd challenge
bash
cat metadata.json

Solution

Walk me through it
  1. Step 1Walk to /challenge
    Run pwd first. Depending on how the SSH session is configured you may not start in /home/picoplayer/, so blindly running cd ../.. can land you somewhere unexpected. Once you confirm where you are, walk to / and cd into challenge/. The files there are world-readable even though root-owned.
    Learn more

    Linux file permissions are represented as three permission triplets: owner (u), group (g), and others (o). Each triplet has read (r/4), write (w/2), and execute (x/1) bits. A file with permissions -rw-r--r-- is readable by everyone but writable only by the owner. The key insight here is that ownership and readability are independent: a root-owned file can still be world-readable if the permissions allow it. The challenge name suggests privilege escalation, but the actual goal is simpler: locate the world-readable file root left in /challenge/.

    cd / jumps you straight to the filesystem root regardless of your starting directory. From there, cd challenge enters /challenge/. Use pwd first so you know whether you started in /home/picoplayer/ or somewhere else; relative cd ../.. is brittle.

  2. Step 2Read the metadata
    Open metadata.json (or use vim if you prefer). The flag is stored in that JSON document.
    Learn more

    vim is a modal text editor installed on virtually every Unix system. In CTF challenges, sometimes cat is restricted or the file viewer has to be a specific tool - but vim (or vi) is almost always available. Open a file with vim filename, navigate with arrow keys or hjkl, and quit with :q (no changes) or :q! (discard changes).

    The challenge name permissions teaches that security is not just about what you own but about how permissions are configured. Privilege escalation challenges often hinge on a misconfigured file or directory that is readable or writable by a lower-privileged user. A root-owned file that is world-readable exposes its contents to any user on the system - a real-world example would be a private key or database credential stored with overly permissive modes.

    A useful habit: always run ls -la /, ls -la /home/, and ls -la /opt/ when you first land on a new Linux machine, whether in CTF or pentesting. Unusual directories with loose permissions often signal the next step. (The classic SUID hunt with find / -perm -4000 2>/dev/null is a different recon track for actual privilege escalation challenges; this one is purely about world-readable files, so save SUID enumeration for challenges where you genuinely need to elevate.)

Flag

picoCTF{uS1ng_v1m_3di...f1a}

Permissions look scary, but world-readable files make the flag accessible.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for General Skills

Related reading

What to try next