Try to find your path padawan!
"ch11" has SUID permission, and the "ls" command depends on the PATH environment variable.
The goal is reading the ".passwd".
The soft link "ls" that functions as "cat" reads the ".passwd".
If the current path is included in the PATH environment variable, the vulnerability can occur like above.
But there is something strange.
I changed the path "/tmp/test2" to "/tmp" but it doesn't worked. The "app-script-ch11-cracked" account could not run "/tmp/ls". There was no problem with file permissions(777).
I also used "alias" to make the "ls" to execute "/bin/cat", but it did not work. and I made the "ls" run a bash script file, but SUID was not applied.
It seems that a secure OS is applied the server and the separate invisible security policy is in operation.