Rating:
The following source code is provided for this task :
```c
#include <stdio.h>
#include <string.h>
#define yes_len 3
const char *yes = "yes";
int main()
{
char flag[99];
char permission[10];
int i;
FILE * file;
file = fopen("/problems/absolutely-relative_0_d4f0f1c47f503378c4bb81981a80a9b6/flag.txt" , "r");
if (file) {
while (fscanf(file, "%s", flag)!=EOF)
fclose(file);
}
file = fopen( "./permission.txt" , "r");
if (file) {
for (i = 0; i < 5; i++){
fscanf(file, "%s", permission);
}
permission[5] = '\0';
fclose(file);
}
if (!strncmp(permission, yes, yes_len)) {
printf("You have the write permissions.\n%s\n", flag);
} else {
printf("You do not have sufficient permissions to view the flag.\n");
}
return 0;
}
```
We can see that this is reading two important files :
1. `/problems/absolutely-relative_0_d4f0f1c47f503378c4bb81981a80a9b6/flag.txt`:
the flag. We don't have permission to read it ourselves, so we have to read
it through the program.
2. `./permission.txt` : the file used by the program to determine whether we are
allowed to see the flag file's content.
The program is simply checking if the `permission.txt` file contains the string
`yes`, but the `permission.txt` file in the task directory contains the
string `no` and we don't have write permission on it.
What we can exploit is the way the paths to these files are specified : the path
to the flag file is absolute, but the path to the permission file is relative,
meaning the `permission.txt` file will be read from the current working
directory. We can then just navigate to our home directory, create a
`permission.txt` file there that contains `yes` and run the program from there.
When we do that, we get the flag : `picoCTF{3v3r1ng_1$_r3l3t1v3_3b69633f}`.
