At this point, we have the capability to access the system via the command line or the madshell.php back door. While this does give us a rather significant amount of access to the target system, you are still a limited user. For example, you can’t read the shadow password file (/etc/shadow), install an application, change settings, add users, etc. To do this, you need to have root access.
Because you simply can’t request root access from the target’s administrator, you have to find an alternate method of escalating your privileges. Fortunately, a large number of exploits are available that can give you that capability. The only obstacle to success is to find one that matches the target’s environment, which can be challenging. Thankfully, one such exploit worked rather well against the target system: the do_brk exploit.
The best way to obtain a working binary that can perform this exploit is to compile exploit code on your mirrored system and transfer it over to your target system via Netcat or a wget command. Again, this highlights the importance of reconnaissance and the added value that a test environment can provide.
With the binary transferred to the target system, exploiting the vulnerability is as simple as typing ./do_brk (in our case) via Netcat. To verify that it worked, type whoami at the command line or via the PHP shell. If the results come back with a root value, then you have successfully “rooted” your target, and the game is over.