Exploit-Exercice : Nebula
Level04 - Abuse symbolic link
In this level you will use the binary to read file that we are not permitted to read
Let’s hack !
Here is what exploit-exercice tell us
This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it
To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.
On the exploit-exercice website we have the source code
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
int main(int argc, char **argv, char **envp)
{
char buf[1024];
int fd, rc;
if(argc == 1) {
printf("%s [file to read]\n", argv[0]);
exit(EXIT_FAILURE);
}
if(strstr(argv[1], "token") != NULL) {
printf("You may not access '%s'\n", argv[1]);
exit(EXIT_FAILURE);
}
fd = open(argv[1], O_RDONLY);
if(fd == -1) {
err(EXIT_FAILURE, "Unable to open %s", argv[1]);
}
rc = read(fd, buf, sizeof(buf));
if(rc == -1) {
err(EXIT_FAILURE, "Unable to read fd %d", fd);
}
write(1, buf, rc);
}
Here what is interresting in this code :
if(strstr(argv[1], "token") != NULL) {
printf("You may not access '%s'\n", argv[1]);
exit(EXIT_FAILURE);
}
The file that we should read is named token but if the binary see the name token pass as an argument the program will not read the file.
How can we abuse this program ? ( Well is you read the title you’ll know how )
Symlink
We will create a symlink of the token file
ln -s /home/flag04/token /tmp/t0ken
Easy level right ?