In Level04 we are given the code of a program owned by flag04 user:

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)  
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
    printf("%s [file to read]\n", argv[0]);

  if(strstr(argv[1], "token") != NULL) {
    printf("You may not access '%s'\n", argv[1]);

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
    err(EXIT_FAILURE, "Unable to open %s", argv[1]);

  rc = read(fd, buf, sizeof(buf));

  if(rc == -1) {
    err(EXIT_FAILURE, "Unable to read fd %d", fd);

  write(1, buf, rc);

The program opens a file passed as first argument if the name does not contain the token string so we cannot use it to open our target token file ... or can we?
Turns out that solving the level was as easy as creating symlink with a different name:

level04@nebula:~$ /home/flag04/flag04 /home/flag04/token  
You may not access '/home/flag04/token'  
level04@nebula:~$ ln -s /home/flag04/token nekot  
level04@nebula:~$ /home/flag04/flag04 nekot