Rating:

The following source code is provided for this task :

c
#include <stdio.h>
#include <string.h>

#define yes_len 3
const char *yes = "yes";

int main()
{
char flag[99];
char permission[10];
int i;
FILE * file;

file = fopen("/problems/absolutely-relative_0_d4f0f1c47f503378c4bb81981a80a9b6/flag.txt" , "r");
if (file) {
while (fscanf(file, "%s", flag)!=EOF)
fclose(file);
}

file = fopen( "./permission.txt" , "r");
if (file) {
for (i = 0; i < 5; i++){
fscanf(file, "%s", permission);
}
permission[5] = '\0';
fclose(file);
}

if (!strncmp(permission, yes, yes_len)) {
printf("You have the write permissions.\n%s\n", flag);
} else {
printf("You do not have sufficient permissions to view the flag.\n");
}

return 0;
}


We can see that this is reading two important files :

1. /problems/absolutely-relative_0_d4f0f1c47f503378c4bb81981a80a9b6/flag.txt:
the flag. We don't have permission to read it ourselves, so we have to read
it through the program.
2. ./permission.txt : the file used by the program to determine whether we are
allowed to see the flag file's content.

The program is simply checking if the permission.txt file contains the string
yes, but the permission.txt file in the task directory contains the
string no and we don't have write permission on it.

What we can exploit is the way the paths to these files are specified : the path
to the flag file is absolute, but the path to the permission file is relative,
meaning the permission.txt file will be read from the current working
directory. We can then just navigate to our home directory, create a
permission.txt file there that contains yes and run the program from there.

When we do that, we get the flag : picoCTF{3v3r1ng_1\$_r3l3t1v3_3b69633f}.

Original writeup (http://blog.iodbh.net/picoctf2018-misc-miscellaneous-absolutely-relative.html).