picoCTF2018 Miscellaneous Absolutely-relative

picoCTF2018 Miscellaneous Absolutely-relative

Objective:
In a filesystem, everything is relative ¯\_(ツ)_/¯. Can you find a way to get a flag from this program [1] ? You can find it in /problems/absolutely-relative_2_69862edfe341b57b6ed2c62c7107daee on the shell server. Source [2] .

Here is the program we need to retrieve the flag

#include <stdio.h>
#include <string.h>

#define yes_len 3
const char *yes = "yes";

int main()
{
    char flag[99];
    char permission[10];
    int i;
    FILE * file;


    file = fopen("/problems/absolutely-relative_2_69862edfe341b57b6ed2c62c7107daee/flag.txt" , "r");
    if (file) {
     while (fscanf(file, "%s", flag)!=EOF)
     fclose(file);
    }

    file = fopen( "./permission.txt" , "r");
    if (file) {
     for (i = 0; i < 5; i++){
            fscanf(file, "%s", permission);
        }
        permission[5] = '\0';
        fclose(file);
    }
 
    if (!strncmp(permission, yes, yes_len)) {
        printf("You have the write permissions.\n%s\n", flag);
    } else {
        printf("You do not have sufficient permissions to view the flag.\n");
    }
 
    return 0;
}

Solution:




As you can see it is opening two files flag.txt and permission.txt

Flag.txt is calling on an absolute path to the where the flagt.xt file is located
however permission.txt is using a path relative to where the application is being run from


Let's create a file called permission.txt in our home directory and then run the program

echo "yes" > permission.txt

cat permission.txt

yes



ok lets run the program now from the home directory

@pico-2018-shell:~$ /problems/absolutely-relative_2_69862edfe341b57b6ed2c62c7107daee/absolutely-relative
You have the write permissions.
picoCTF{3v3r1ng_1$_r3l3t1v3_372b3859}

that was easy