###### tags: `pwn college` # babysuid write-up ## level 40 This challenge require us to use `mv` command to read `/flag` file.  ### First We already got SUID bit on the `mv` command. So the `/challenge/babysuid_level40` file actually set permission on file with the same name as `/usr/bin/mv` file. So i change the name of `cat` command into `mv` command.  Then I rerun the `/challenge/babysuid_level40` file. This does set the SUID bit into the 'usr/bin/mv' file. But underneath it lies the cat command. ### Second I use the `cat` command (which is now the `mv` command) to print the `/flag` file.  This will gives us the flag.