In this level there are two files in the /home/flag04 directory.
1. A file named token (consider it as a text file)
2. A 32 bit setuid bit enabled ELF file -> flag04
This is the code of flag04.c
This program will read a file which is given as the first argument and whose name is not “token”. I made a file in /tmp directory and gave the argument of flag04 and it printed whatever there was in that file. So it is working! What we have to do is make a duplicate file of token, i tried direct copy but it didn’t work permission was denied. Then i tried to make a symlink of token in /tmp directory and gave that file as the argument of the flag04 file, luckily it worked perfectly!!
$ ln -s /home/flag04/token /tmp/blah
$ ./flag04 /tmp/blah
I was able to read the contents of the file token. But it didn’t gave me an escalated shell from level04 to flag04
But i noted down the content of file token and it was the password to the flag04 level and when i logged in i executed getflag command and hence i completed level04 nebula 😀