doas
While the initial presence of doas as a SUID binary in a Debian-based system is rather questionable, PEAS has already enumerated the privileges earlier and it was specific to the player user. Now that the user account has been compromised and lateral movement was made, I can proceed to make an assessment
player@soccer:~$ find / -name doas.conf -ls -type f 2>/dev/null
74593 4 -rw-r--r-- 1 root root 48 Nov 17 2022 /usr/local/etc/doas.confIn contrast to the sudo -l command for sudo, doas uses a configuration file to list out privileges; doas.conf
player@soccer:~$ cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstatThe doas.conf file permits the player user to execute /usr/bin/dstat as the root user without getting prompted for password
dstat
player@soccer:~$ file /usr/bin/dstat
/usr/bin/dstat: Python script, ASCII text executable
player@soccer:~$ ll /usr/bin/dstat
-rwxr-xr-x 1 root root 97762 Aug 4 2019 /usr/bin/dstat*dstat is a Python-based open-source system monitoring tool for real-time performance analysis. Development reportedly faced challenges, and it was said to be discontinued around 2020. Users may want to explore alternative tools for modern system monitoring.
According to GTFOBins, it may be leveraged for privilege escalation if configured to run as superuser