picoCTF Solutions
picoCTF 2026General SkillsMedium

ABSOLUTE NANO picoCTF 2026 Solution

Published: March 20, 2026

Description

You have complete power with nano. Think you can get the flag?

Setup

Launch the challenge instance and SSH in.

Check what sudo permissions are available.

bash
sudo -l

Solution

Walk me through it
  1. Step 1Check sudo permissions
    Run sudo -l. It lists what you can run as root, and shows nano with NOPASSWD here. See the linux CLI guide for more sudo enumeration patterns.
    bash
    sudo -l

    See linux CLI for CTF for sudo and shell escape recipes.

    Learn more

    sudo -l lists the commands a user is permitted (and forbidden) to run as root or another user. The output comes from /etc/sudoers or drop-in files in /etc/sudoers.d/. In CTF challenges, misconfigured sudo rules often grant access to editors, interpreters, or utilities that can be leveraged for privilege escalation.

    A typical permissive output looks like:

    User picoplayer may run the following commands on challenge:
    (root) NOPASSWD: /usr/bin/nano
    (root) NOPASSWD: /usr/bin/nano /etc/hosts
    (root) NOPASSWD: /var/log/*.log

    NOPASSWD: means sudo will not prompt for the user's password. The path can be a single binary, an absolute path with fixed arguments, or a wildcard. Wildcards are dangerous because shell globbing happens before sudo evaluates the rule, so /var/log/*.log can be matched by adding ../ traversal in many cases. Path restrictions only apply to the literal command - once nano runs, it inherits root privileges for everything it can spawn.

    Even after sudo nano drops you into a root editor, sudo's default env_reset behaviour scrubs most environment variables (PATH, LD_PRELOAD, IFS) so you cannot abuse those vectors. The shell escape works because nano spawns its child with a fresh shell, not because of any inherited env. The classic reference for techniques is GTFOBins (gtfobins.github.io). In real engagements, sudo -l is one of the first enumeration steps after gaining a foothold.

  2. Step 2Open nano with sudo
    Run nano with sudo to execute it with root privileges. Nano has a built-in shell escape that preserves the elevated permissions.
    bash
    sudo nano
    Learn more

    nano is a terminal text editor that ships by default on most Linux distributions. When launched as root via sudo nano, the entire process - including any subprocesses it spawns - runs with root privileges. This matters because nano can execute arbitrary shell commands from within the editor session.

    The key concept is privilege inheritance: child processes spawned by a setuid or sudo-elevated process inherit the elevated UID unless they explicitly drop it. Many GUI applications, interpreters, and editors like nano, vim, and less do not drop privileges before executing helper commands, making them dangerous when granted sudo access.

    This is fundamentally different from a SUID binary, which sets the effective UID for a single binary. Sudo grants elevation for the duration of a session, so anything that binary spawns also runs with those permissions - including a shell.

  3. Step 3Spawn a shell from within nano
    Press Ctrl+R to enter Read File mode, then Ctrl+X while in that mode to switch the prompt to 'Command to execute'. Type 'reset; sh' and hit Enter. nano's child shell inherits the parent terminal's stdin/stdout/stderr, so no fd redirections are needed.
    bash
    reset; sh
    Learn more

    The shell-out is a two-step modal chain. Ctrl+R switches nano into Read File mode (the bottom prompt now reads "File to insert"). Ctrl+X while inside Read File mode toggles the prompt to "Command to execute", which feeds your line into /bin/sh -c and inserts its stdout into the buffer. Pressing Ctrl+X from the main editor instead would just exit nano, so the order matters.

    The payload reset; sh works because nano spawns its child shell on the same controlling terminal as the parent, so stdin, stdout, and stderr are already attached to your tty. reset just clears any leftover terminal state. The older GTFOBins one-liner sh 1>&0 2>&0 tries to force-bind fds explicitly, but it is unnecessary here and on some terminals it actually breaks line discipline.

    Similar shell-escape tricks exist in many terminal programs: vim uses :!/bin/sh, less uses !sh, man spawns a shell via !, and awk uses BEGIN {system("/bin/sh")}. All of these become root shells if the parent process runs with elevated privileges.

  4. Step 4Read the flag
    With a root shell, read the flag file.
    bash
    cat /root/flag.txt
    bash
    find / -name flag.txt 2>/dev/null
    Learn more

    Once you have a root shell, you have unrestricted read access to every file on the system, including those owned by root with mode 600. CTF flags are typically placed in /root/flag.txt, /flag, or /flag.txt.

    The find / -name flag.txt 2>/dev/null command searches the entire filesystem hierarchy for a file named flag.txt, suppressing permission-denied errors (2>/dev/null). This is useful when the file location is unknown - but on a root shell those errors no longer occur anyway.

    In a real post-exploitation scenario, a root shell enables credential harvesting (reading /etc/shadow), persistence (adding SSH keys to /root/.ssh/authorized_keys), and lateral movement by reading private keys or configuration files of other users. Understanding this escalation path is why defenders should audit sudo rules carefully and avoid granting editor access.

Flag

picoCTF{4bs0lut3_n4n0_...}

Nano with sudo can spawn a root shell via Ctrl+R Ctrl+X - a classic GTFOBins escape.

Want more picoCTF 2026 writeups?

Browse picoCTF 2026Full library

Useful tools for General Skills

Related reading

What to try next