Content of a sensitive file is still on disk i.e. not overwritten, despite the file itself got deleted. Such content is viewable by user root. User pi can run all commands as root.

Pi as part of a default Raspbian install, does not have its password changed. Such password is the only auth required to ssh in as pi, and ssh is available to everyone.

A superuser-owned and SUID-bit-set binary does not specify full path. Such binary resides at a directory owned by user bobby and can be executed by user bobby.

Bobby’s ssh private key is distributed via email by user administrator, and for some reason the email content is stored on the box, in a file viewable by user administrator.

Administrator runs an application which takes input without sanitization from an Ethereum smart contract. Such smart contract seems not subject to access control based on signing, and contains a function that can set the input value, and the visibility of this function is public. The RPC endpoint of this Ethereum network is for some reason available to everyone.

A python script, which imports module without explicitly setting the search path, can be called by a command. Such command has tag SETENV enabled and can be run as superuser, if by user waldo.

Waldo uses the same credential for logging into the box and configuring website.

Despite the MySQL server on the box only listens to local clients, one local client called Adminer uses a web page as interface, and such web page is for some reason available to everyone.

A superuser can ssh into the box via private key. The related public key can be set up automatically using a script. The public key file that the script relies on is world writable, and the script itself can be run by user neil with the aid of sudo.

Neil uses the same credential for logging into the box and configuring WordPress.

Neil is a developer who single-handedly works on data migration. The migration tool he build, in its early progress, is vulnerable to PHP object injection, which allows a file of arbitrary content and name to be created on the web server. Upon publicly holding someone accountable for their mistake, Neil leaks the name of his tool and that a backup exists. Both the tool and its backup are for some reason hosted on the server, available to everyone.