james
Checking for sudo privileges of the james user after performing a manual system enumeration
james@blaze:~$ sudo -l
Matching Defaults entries for james on blaze:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on blaze:
(ALL) NOPASSWD: /usr/bin/tar -czvf /tmp/backup.tar.gz *The james user is able to execute the /usr/bin/tar -czvf /tmp/backup.tar.gz * command as anyone without getting prompted for password
/Practice/Cockpit/4-Post_Enumeration/attachments/{F6C6FE39-2080-4DD7-A14D-75799C87E378}.png)
According to GTFOBins, tar can be abused for privilege escalation
Given, there is an asterisk, *, character at the end of the command, I could just spawn a shell
Moving on to the Privilege Escalation phase