How to pwned Nebula : Level 04 - Abuse Symbolic Link

symlink
ctf
nebula
hacking

#1

Exploit-Exercice : Nebula


Level04 - Abuse symbolic link

In this level you will use the binary to read file that we are not permitted to read
Let’s hack !

Here is what exploit-exercice tell us

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :slight_smile:
To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.

On the exploit-exercice website we have the source code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)
{
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
      printf("%s [file to read]\n", argv[0]);
      exit(EXIT_FAILURE);
  }

  if(strstr(argv[1], "token") != NULL) {
      printf("You may not access '%s'\n", argv[1]);
      exit(EXIT_FAILURE);
  }

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
  }

  rc = read(fd, buf, sizeof(buf));
  
  if(rc == -1) {
      err(EXIT_FAILURE, "Unable to read fd %d", fd);
  }

  write(1, buf, rc);
}

Here what is interresting in this code :

  if(strstr(argv[1], "token") != NULL) {
      printf("You may not access '%s'\n", argv[1]);
      exit(EXIT_FAILURE);
  }

The file that we should read is named token but if the binary see the name token pass as an argument the program will not read the file.

How can we abuse this program ? ( Well is you read the title you’ll know how )

Symlink

We will create a symlink of the token file

ln -s /home/flag04/token /tmp/t0ken

Easy level right ?


(system) #2

This topic was automatically closed after 30 days. New replies are no longer allowed.