picoCTF Solutions
picoCTF 2023General SkillsMedium

Permissions

Published: April 26, 2023

Description

SSH into the target host and enumerate /root-owned challenge files. Proper directory traversal and permissions understanding lead straight to the flag.

Setup

SSH to saturn.picoctf.net on port 54578 with the provided password.

Navigate into /challenge, list files, and open metadata.json (or similar) with vim or cat.

ssh -p 54578 picoplayer@saturn.picoctf.net
Sd9KYTm5kr
cd ../.. && cd challenge
cat metadata.json

Solution

  1. Step 1Escalate into /challenge
    After logging in, move two directories up and then into challenge/. The files there are world-readable even though root-owned.
    Learn more

    Linux file permissions are represented as three permission triplets: owner (u), group (g), and others (o). Each triplet has read (r/4), write (w/2), and execute (x/1) bits. A file with permissions -rw-r--r-- is readable by everyone but writable only by the owner. The key insight here is that ownership and readability are independent: a root-owned file can still be world-readable if the permissions allow it.

    cd ../.. navigates two levels up the directory tree. From a home directory like /home/picoplayer/, this lands at the filesystem root /. From there, cd challenge enters /challenge/. This path traversal is straightforward and legal - you are not exploiting anything, just navigating the publicly accessible directory structure.

    Understanding permissions is fundamental to Linux privilege escalation. The ls -la command shows permissions for all files including hidden ones. A common audit step is finding SUID binaries (find / -perm -4000 2>/dev/null) or world-writable files in sensitive locations - both are classic privilege escalation vectors in CTF and real-world pentesting.

  2. Step 2Read the metadata
    Open metadata.json (or use vim if you prefer). The flag is stored in that JSON document.
    Learn more

    vim is a modal text editor installed on virtually every Unix system. In CTF challenges, sometimes cat is restricted or the file viewer has to be a specific tool - but vim (or vi) is almost always available. Open a file with vim filename, navigate with arrow keys or hjkl, and quit with :q (no changes) or :q! (discard changes).

    The challenge name permissions teaches that security is not just about what you own but about how permissions are configured. Privilege escalation challenges often hinge on a misconfigured file or directory that is readable or writable by a lower-privileged user. A root-owned file that is world-readable exposes its contents to any user on the system - a real-world example would be a private key or database credential stored with overly permissive modes.

    A useful habit: always run ls -la /, ls -la /home/, and ls -la /opt/ when you first land on a new Linux machine, whether in CTF or pentesting. Unusual directories with loose permissions often signal the next step.

Flag

picoCTF{uS1ng_v1m_3di...f1a}

Permissions look scary, but world-readable files make the flag accessible.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for General Skills

Related reading

What to try next