Exploiting Poor Configuration

Exploiting this will be pretty straight forward.

Knowing we have a short window (30 seconds) to edit this sh file, we will invoke the ls -la /root/ into the file, quickly save and open up a split window and login via ssh again as sysadmin. Doing this quickly we will see the entire directory get printed out to the screen.


We now have root access

To take this one step further and get a proper shell by doing exactly what we did for user, and that is to echo our public ssh key into /root/.ssh/authorized_keys


We have successfully rooted the box.