Permissions picoCTF 2023 Solution

Published: April 26, 2023

Description

SSH into the target host, check what commands you can run as root, and exploit a misconfigured sudo entry to read the flag from /root/.flag.txt.

SSH to saturn.picoctf.net on port 54578 with the provided credentials.

Once inside, run sudo -l to see what commands picoplayer can execute as root without a password.

bash
ssh -p 54578 picoplayer@saturn.picoctf.net
bash
Sd9KYTm5kr
bash
sudo -l

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Discover the sudo entry for vi
    Observation
    I noticed the challenge is named 'permissions' and involves SSH access as a non-root user, which suggested that the privilege escalation path would be a misconfigured permission entry rather than a binary exploit, making sudo -l the obvious first enumeration step.
    Run sudo -l after logging in. The output shows that picoplayer may run /usr/bin/vi as root without a password (NOPASSWD). Text editors like vi can execute arbitrary shell commands from within the editor, which is exactly what makes this a privilege escalation path rather than a simple file-read challenge.
    bash
    sudo -l

    Expected output

    User picoplayer may run the following commands on permissions:
        (ALL) NOPASSWD: /usr/bin/vi
    What didn't work first

    Tried: Check for SUID binaries with find / -perm -4000 instead of running sudo -l

    find -perm -4000 lists SUID binaries, which is a separate privilege escalation class. This box does not have a useful SUID binary planted; the intended path is the sudo rule. Skipping sudo -l entirely means you never see the NOPASSWD vi entry and waste time searching for an exploit that is not there.

    Tried: Run sudo su or sudo bash directly to get a root shell

    sudo su and sudo bash only work if your user is allowed to run su or bash as root. The sudoers rule here grants vi only, so both commands will print 'sorry, user picoplayer is not allowed to execute /bin/su' and exit. You must use the specific binary listed in sudo -l.

    Learn more

    sudo -l (list) is always the first command to run when enumerating privilege escalation paths on a Linux box. It prints every command your current user is allowed to run via sudo, along with whether a password is required. A NOPASSWD entry means you can run that command as root with no additional authentication.

    The challenge name permissions is a hint at sudo permissions, not just filesystem permissions. Many CTF beginners assume privilege escalation requires a kernel exploit or a SUID binary; in reality, a single misconfigured sudo rule is often all you need.

  2. Step 2
    Escape vi to a root shell via GTFOBins
    Observation
    I noticed the sudo -l output granted NOPASSWD access specifically to /usr/bin/vi, which is a well-known GTFOBins binary; its built-in -c flag can execute arbitrary Ex commands, so passing ':!/bin/bash' on startup immediately drops a root shell without needing to interact with the editor.
    Use the NOPASSWD vi entry to open vi as root, then immediately execute a shell command from within vi using its -c flag. The command sudo /usr/bin/vi -c ':!/bin/bash' /dev/null launches vi, runs :!/bin/bash in command mode before you ever see the editor, and drops you into an interactive bash shell running as root.
    bash
    sudo /usr/bin/vi -c ':!/bin/bash' /dev/null
    bash
    whoami
    bash
    cat /root/.flag.txt

    Expected output

    root
    picoCTF{uS1ng_v1m_3dit0r_...}

    After running the command, bash spawns as root. Confirm with whoami (should print root), then read the flag with cat /root/.flag.txt.

    What didn't work first

    Tried: Open vi normally with 'sudo vi /dev/null' and then type ':shell' or ':!bash' interactively inside the editor

    This works eventually but the -c flag approach is cleaner and exits immediately without having to navigate the vi interface. More importantly, if you forget the colon and type just '!bash' you stay in vi's normal mode and get 'E492: Not an editor command' because vi requires the colon prefix to enter Ex command mode before the exclamation mark.

    Tried: Try 'sudo vi -c ':!/bin/sh'' instead of ':!/bin/bash'

    sh works and drops you into a root shell, but the shell prompt looks different and tab-completion is limited, which can confuse users into thinking the escalation failed. bash is preferred because it gives a recognizable interactive prompt. Either binary reads the flag correctly; the confusion is cosmetic.

    Learn more

    GTFOBins (gtfobins.github.io) is a curated list of Unix binaries that can be abused for privilege escalation, file reads, reverse shells, and more when they are granted elevated permissions. Many standard tools such as vi, less, find, awk, and python appear on the list because they have built-in mechanisms to execute arbitrary commands.

    For vi/vim, the -c flag runs an Ex command immediately on startup. The Ex command :!/bin/bash shells out to bash. Because the entire process is running under sudo, the resulting bash session has root privileges. Using /dev/null as the file argument is a common trick to avoid needing a real file to open; vi simply has nothing to display before the shell command runs.

    This is why granting sudo access to text editors is dangerous: even if the intent is only to let a user edit a specific config file, the editor can always be used to break out into a full shell. The safe alternative is to use a more restrictive mechanism, such as sudoedit, which does not allow shell escapes.

Flag

Reveal flag

picoCTF{uS1ng_v1m_3dit0r_...}

The flag lives in /root/.flag.txt and is only readable after escalating to root via the misconfigured sudo vi entry.

Key takeaway

Sudo misconfiguration is one of the most common Linux privilege escalation vectors found in real penetration tests. Any binary that can spawn a subshell, run system calls, or write arbitrary files becomes a full root escalation path when granted NOPASSWD sudo access, even if the intent was only to allow a narrow administrative task. GTFOBins catalogs hundreds of standard Unix tools that fall into this category, covering editors, interpreters, file transfer utilities, and debuggers. The correct mitigation is to use sudoedit for file editing, restrict allowed arguments with sudoers ARGS constraints, or avoid granting sudo access to interactive programs entirely.

Related reading

Want more picoCTF 2023 writeups?

Useful tools for General Skills

What to try next