Nebula exploit exercises walkthrough – level04

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it 🙂

This program looks like it will read the file passed to it by the first argument. Let’s test that out:

Everything as expected then. The problem is that it explicitly forbids opening of files called token. How can we get round this?

Symbolic links to the rescue again!

Just create a symbolic link to a name that doesn’t match “token”.

So what is this long string? Seems sensible to try and login to the flag04 account with it:

3 thoughts on “Nebula exploit exercises walkthrough – level04

  1. Permalink  ⋅ Reply


    June 25, 2017 at 4:24am

    but how?
    In order to logon to another user I have to logout.
    Then when I go to login with user flag04 I’m asked for a password and since I don’t know the password, I can’t execute ‘getflag’. Can’t copy the string to use it as a password bc I can’t select and copy shit from my terminal. grrrrrrrrrrrr
    Fucking irritating

    • Permalink  ⋅ Reply


      December 4, 2017 at 1:33am

      you should try learning some linux first..

      you can use “su flag04” for example.

  2. Permalink  ⋅ Reply


    November 19, 2017 at 7:11pm

    Don’t logout, use :
    $ su flag04

Leave a Reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.