Description
SSH into the target host, check what commands you can run as root, and exploit a misconfigured sudo entry to read the flag from /root/.flag.txt.
Setup
SSH to saturn.picoctf.net on port 54578 with the provided credentials.
Once inside, run sudo -l to see what commands picoplayer can execute as root without a password.
ssh -p 54578 picoplayer@saturn.picoctf.netSd9KYTm5krsudo -lSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Discover the sudo entry for viObservationI noticed the challenge is named 'permissions' and involves SSH access as a non-root user, which suggested that the privilege escalation path would be a misconfigured permission entry rather than a binary exploit, making sudo -l the obvious first enumeration step.Run sudo -l after logging in. The output shows that picoplayer may run /usr/bin/vi as root without a password (NOPASSWD). Text editors like vi can execute arbitrary shell commands from within the editor, which is exactly what makes this a privilege escalation path rather than a simple file-read challenge.bashsudo -lExpected output
User picoplayer may run the following commands on permissions: (ALL) NOPASSWD: /usr/bin/viWhat didn't work first
Tried: Check for SUID binaries with find / -perm -4000 instead of running sudo -l
find -perm -4000 lists SUID binaries, which is a separate privilege escalation class. This box does not have a useful SUID binary planted; the intended path is the sudo rule. Skipping sudo -l entirely means you never see the NOPASSWD vi entry and waste time searching for an exploit that is not there.
Tried: Run sudo su or sudo bash directly to get a root shell
sudo su and sudo bash only work if your user is allowed to run su or bash as root. The sudoers rule here grants vi only, so both commands will print 'sorry, user picoplayer is not allowed to execute /bin/su' and exit. You must use the specific binary listed in sudo -l.
Learn more
sudo -l (list) is always the first command to run when enumerating privilege escalation paths on a Linux box. It prints every command your current user is allowed to run via
sudo, along with whether a password is required. ANOPASSWDentry means you can run that command as root with no additional authentication.The challenge name permissions is a hint at sudo permissions, not just filesystem permissions. Many CTF beginners assume privilege escalation requires a kernel exploit or a SUID binary; in reality, a single misconfigured sudo rule is often all you need.
Step 2
Escape vi to a root shell via GTFOBinsObservationI noticed the sudo -l output granted NOPASSWD access specifically to /usr/bin/vi, which is a well-known GTFOBins binary; its built-in -c flag can execute arbitrary Ex commands, so passing ':!/bin/bash' on startup immediately drops a root shell without needing to interact with the editor.Use the NOPASSWD vi entry to open vi as root, then immediately execute a shell command from within vi using its -c flag. The command sudo /usr/bin/vi -c ':!/bin/bash' /dev/null launches vi, runs :!/bin/bash in command mode before you ever see the editor, and drops you into an interactive bash shell running as root.bashsudo /usr/bin/vi -c ':!/bin/bash' /dev/nullbashwhoamibashcat /root/.flag.txtExpected output
root picoCTF{uS1ng_v1m_3dit0r_...}After running the command, bash spawns as root. Confirm with
whoami(should printroot), then read the flag withcat /root/.flag.txt.What didn't work first
Tried: Open vi normally with 'sudo vi /dev/null' and then type ':shell' or ':!bash' interactively inside the editor
This works eventually but the -c flag approach is cleaner and exits immediately without having to navigate the vi interface. More importantly, if you forget the colon and type just '!bash' you stay in vi's normal mode and get 'E492: Not an editor command' because vi requires the colon prefix to enter Ex command mode before the exclamation mark.
Tried: Try 'sudo vi -c ':!/bin/sh'' instead of ':!/bin/bash'
sh works and drops you into a root shell, but the shell prompt looks different and tab-completion is limited, which can confuse users into thinking the escalation failed. bash is preferred because it gives a recognizable interactive prompt. Either binary reads the flag correctly; the confusion is cosmetic.
Learn more
GTFOBins (gtfobins.github.io) is a curated list of Unix binaries that can be abused for privilege escalation, file reads, reverse shells, and more when they are granted elevated permissions. Many standard tools such as vi, less, find, awk, and python appear on the list because they have built-in mechanisms to execute arbitrary commands.
For vi/vim, the
-cflag runs an Ex command immediately on startup. The Ex command:!/bin/bashshells out to bash. Because the entire process is running under sudo, the resulting bash session has root privileges. Using/dev/nullas the file argument is a common trick to avoid needing a real file to open; vi simply has nothing to display before the shell command runs.This is why granting sudo access to text editors is dangerous: even if the intent is only to let a user edit a specific config file, the editor can always be used to break out into a full shell. The safe alternative is to use a more restrictive mechanism, such as
sudoedit, which does not allow shell escapes.
Flag
Reveal flag
picoCTF{uS1ng_v1m_3dit0r_...}
The flag lives in /root/.flag.txt and is only readable after escalating to root via the misconfigured sudo vi entry.