This stage we needed to find a backdoor. This to me meant finding another suid file owned by the
level3 user so that we can read the password. To do this I just did some bash magic using
find:
find / -type f -perm +4000 -user level3 2>/dev/null
This searched the drive for a file with suid permissions owned by level3. There will be a bunch of error messages, such as permission denied, which I send off into the land of /dev/null. Let's see what I found.
 |
| Backdoor |
We can see in the green that we've found the backdoor. The suid bit is set for user, level3. Now I just run it and it appears I'm dropped into a shell. Running, id, I can see that I have the effective ID of level3. Now all I need to do is read the password!
SPOILER! Highlight below to view the password:
l3thal_Rul3Z!
