Exploiting Poor Configuration
Exploiting this will be pretty straight forward.
Knowing we have a short window (30 seconds) to edit this sh file, we will invoke the
ls -la /root/ into the file, quickly save and open up a split window and login via ssh again as sysadmin. Doing this quickly we will see the entire directory get printed out to the screen.
We now have root access
To take this one step further and get a proper shell by doing exactly what we did for user, and that is to echo our public ssh key into /root/.ssh/authorized_keys
We have successfully rooted the box.