Since binary1
is setuid binary1cracked and invokes system
, you should be able to invoke binary1
with a modified PATH
and therefore do anything that user binary1cracked can do. For example, supply your own version of ls
that reads the .passwd file and place this ls
into your custom PATH.
With bash you can supply a custom PATH by invoking a command like this at the prompt
$ PATH=/my/custom/path ./binary1