VULNERABLE: obtained root shell via USER='-f root'