brucetherealadmin
Checking for sudo privileges of the brucetherealadmin user after making a lateral movement
[brucetherealadmin@armageddon ~]$ sudo -l
matching defaults entries for brucetherealadmin on armageddon:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE
linguas _xkb_charset xauthority", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
user brucetherealadmin may run the following commands on armageddon:
(root) nopasswd: /usr/bin/snap install *The brucetherealadmin user is able to execute the /usr/bin/snap install * command with sudo privileges
Snap
According to GTFObins, snap can be abused for privilege escalation if configured with sudo privileges
Moving on to the Privilege Escalation phase