Exploiting Poor Configuration

Exploiting this will be pretty straight forward.

Knowing we have a short window (30 seconds) to edit this sh file, we will invoke the ls -la /root/ into the file, quickly save and open up a split window and login via ssh again as sysadmin. Doing this quickly we will see the entire directory get printed out to the screen.

Screenshot_20200403_032404.png

We now have root access

To take this one step further and get a proper shell by doing exactly what we did for user, and that is to echo our public ssh key into /root/.ssh/authorized_keys

Screenshot_20200403_032721.png

We have successfully rooted the box.