permission denied

Daily AlpacaHackTopic: File PermissionReleased: Apr 29, 2026

76 solves

by

minaminao

Tags

cat: flag.txt: Permission denied

Beginner Hint 1 (AI-translated)

If you connect with nc, you will see that a shell starts up.
If you read chal.sh, you can see that flag.txt is created before the shell starts.
After that, the permissions of flag.txt are set to 400.
These commands are executed by the root user.
So 400 means that only the root user can read the file.
Then runuser -u nobody -- sh starts a shell as the nobody user.
However, if you run cat flag.txt, you get Permission denied, so you cannot read the flag.
So how can you read the flag?

Beginner Hint 2 (AI-translated)

This is a more meta hint, but why does chal.sh bother setting the permissions of flag.txt in the first place?
The permissions of chal.sh are specified in the Dockerfile.
In the same way, it should also be possible to set the permissions of flag.txt in the Dockerfile.
Think about what behavioral difference is created between setting permissions in the Dockerfile and setting them later in chal.sh.