Just in case anyone’s still struggling with the whole password prompt thing:
The password prompt for www-data happens when the SSH connection is initiated. Since SSH Keys are created it should happen without a password prompt as is specified in the exploit’s source code Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2) - Linux local Exploit
The thing is openssh ignores keys if certain conditions aren’t met regarding the file / folder permissions.
So here are the ones I know of:
private key → 600
.ssh folder → 700
authorized keys → 640
What worked for me is replacing the following line in the exploit
mv "$KEY.pub" ~/.ssh/authorized_keys || return 1
by these lines
# mv "$KEY.pub" ~/.ssh/authorized_keys || return 1
cat "$KEY.pub" >> ~/.ssh/authorized_keys || return 1
chmod 640 ~/.ssh/authorized_keys || return 1
Other permissions were already adequate so I didn’t bother with them.
Good luck!