Nebula – Level04


In this level there are two files in the /home/flag04 directory.
1. A file named token (consider it as a text file)
2. A 32 bit setuid bit enabled ELF file -> flag04

This is the code of flag04.c

int main(int argc, char **argv, char **envp)
char buf[1024];
int fd, rc;

if(argc == 1) {
printf("%s [file to read]\n", argv[0]);

if(strstr(argv[1], "token") != NULL) {
printf("You may not access '%s'\n", argv[1]);

fd = open(argv[1], O_RDONLY);
if(fd == -1) {
err(EXIT_FAILURE, "Unable to open %s", argv[1]);

rc = read(fd, buf, sizeof(buf));

if(rc == -1) {
err(EXIT_FAILURE, "Unable to read fd %d", fd);

write(1, buf, rc);

This program will read a file which is given as the first argument and whose name is not “token”. I made a file in /tmp directory and gave the argument of flag04 and it printed whatever there was in that file. So it is working! What we have to do is make a duplicate file of token, i tried direct copy but it didn’t work permission was denied. Then i tried to make a symlink of token in /tmp directory and gave that file as the argument of the flag04 file, luckily it worked perfectly!!

$ ln -s /home/flag04/token /tmp/blah
$ ./flag04 /tmp/blah

I was able to read the contents of the file token. But it didn’t gave me an escalated shell from level04 to flag04 :/
But i noted down the content of file token and it was the password to the flag04 level and when i logged in i executed getflag command and hence i completed level04 nebula 😀


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s