Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
65 lines (46 sloc) 1.33 KB

Nebula level04

https://exploit-exercises.com/nebula/level04/

Goal

Read from the unreadable token file.

Source code

flag04.c

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)
{
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
      printf("%s [file to read]\n", argv[0]);
      exit(EXIT_FAILURE);
  }

  if(strstr(argv[1], "token") != NULL) {
      printf("You may not access '%s'\n", argv[1]);
      exit(EXIT_FAILURE);
  }

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
  }

  rc = read(fd, buf, sizeof(buf));
  
  if(rc == -1) {
      err(EXIT_FAILURE, "Unable to read fd %d", fd);
  }

  write(1, buf, rc);
}

Exploit

The /home/flag04 directory has a token file that is not readable to anybody but the owner. However, there is also a C executable in that directory that takes a filename and reads it. However, the file has a protection in place that it will not read any filename containing the substring token.

To get around this, we use symlinks. Simply symlinking the file and then having the flag04 executable open the symlinked file will read the token file for us. These are the commands:

ln -s ./token ~/link
./flag04 ~/link