Cp T33n Txt Exclusive May 2026
By default, most Linux/macOS setups give you rw- r-- r-- (owner can read/write, others can only read). If you want exclusive read‑only access for yourself, change the mode after copying:
cp -n source.txt ~/private/
chmod 600 ~/private/source.txt # rw------- (owner only)
| Mode | Symbolic | Meaning |
|------|----------|---------|
| 600 | rw------- | Only you can read/write |
| 644 | rw-r--r-- | Owner read/write; others read‑only (default) |
| 660 | rw-rw---- | Owner & group read/write; others none |
Tip: Add yourself to a dedicated “notes” group and give the group read/write permission (chmod 660). Then you can safely share the folder with a sibling or teammate without exposing the files to the whole world.
The challenge provides a small Linux VM with a single user account (ctfuser). Inside the home directory there are a few files and a directory called exclusive. The goal is to obtain the flag located in ~/flag.txt.
A quick glance at the filesystem shows:
$ ls -la
total 24
drwxr-xr-x 3 ctfuser ctfuser 4096 Apr 10 12:00 .
drwxr-xr-x 6 root root 4096 Apr 10 11:55 ..
-rw-r--r-- 1 ctfuser ctfuser 34 Apr 10 12:02 README
-rw-r--r-- 1 ctfuser ctfuser 73 Apr 10 12:01 t33n
drwxr-x--- 2 root root 4096 Apr 10 12:03 exclusive
The flag is not directly readable:
$ cat flag.txt
cat: flag.txt: Permission denied
So we need a way to read flag.txt without having direct read permission.
The hint in the description says:
“The only tool you’re allowed to use is
cp.” cp t33n txt exclusive
That is the only binary we are permitted to execute (the challenge binary disables most other commands via a restricted shell).
Hence the task is to use cp cleverly to read the flag.
If you care about metadata (timestamps, permissions, ownership), add --preserve:
cp -n --preserve=mode,ownership,timestamps source.txt backup/
These elements create a tone that feels authentic, fast‑paced, and peer‑to‑peer, which is crucial for teenage resonance. By default, most Linux/macOS setups give you rw-
$ namei -l flag.txt
f: flag.txt
drwxr-x--- root root 4096 Apr 10 12:00 .
-rw-r----- root root 43 Apr 10 12:00 flag.txt
Thus ctfuser cannot open the file directly. However, the cp command can be tricked into copying a file that we do not have read permission for if we can convince it to read the source as root.
In normal circumstances cp runs with the privileges of the invoking user, so it would also be blocked. The trick lies in the --preserve=mode (or -p) flag, which tries to preserve the original file mode, ownership, and timestamps after the copy. To set those attributes, cp must invoke chmod, chown, and utimensat. If any of those operations require elevated privileges, cp will call the set‑uid helper /usr/lib/coreutils/cp (on many modern distributions) which is set‑uid root.
When cp runs with -p (or --preserve=all), it temporarily escalates to root to set the attributes, and during that phase it opens the source file as root. This is the well‑known “cp -p privilege‑escalation vector”.
Key point: If we copy a file we cannot read with -p, we can later read the copy because cp will have copied the contents as root and then written them to a file we own. | Mode | Symbolic | Meaning | |------|----------|---------|