Tags: rbash vim 

Rating: 4.0

After connecting to server with provided credentials it appears that ctfuser is restricted by means of 'rbash'. There is a well-known restricted shell escape with vim text editor. To perform first escape one required to run vim and execute following vim commands:

:set shell=/bin/bash
:shell

We end up in unrestricted bash and able to perform various commands. After poking around we find a binary file home directory ('/home/ctfuser/flagReader') which belongs to user 'topsecretuser' and allows read access with group 'secretuser'. Suid bit is set and secretuser can only execute binary, no read or write access.
There is also a flag file in root directory ('/.flag').
Running sudo -l shows us that we can run only one executable with rights of secretuser, which is rvim ('/usr/bin/rvim').
Main difference of rvim vs vim is that rvim does not allow escape to shell with previosly described techincs and, on top of that, no shell commands at all.
The first though after stumbling upon rvim is running embedded module such as python or lua, but ':python' and ':lua' shows that no such module installed.
To list all installed features it is possible to use ':version' vim command. Examining installed features shows that only interpreter that have been installed is python3.
Following chain of vim commands gives us the flag:

:python3 import os; os.system('mkdir /tmp/.gettheflag/')
:python3 import os; os.system('/home/ctfuser/flagReader /.flag > /tmp/.gettheflag/test')
:r /tmp/.gettheflag/test

<span>The flag is: flag{rVim_is_no_silverbullet!!!111elf}</span>