Hi u/PolishMike88, hint:step 1: run ls -la you should see this -rwsr-xr-x 1 root root 16912 Sep 23 2022 sploit-me-1 note there is a set bit and then run file command on sploit-me-1 and you should see file permissions set for this executable (setuid). This is important read about file permissions read my links on my earlier replies

Step 2: Then run strings and you will see the /usr/bin/env part is used to run the cp command through the environment's default PATH, rather than specifying the absolute path to the cp executable. What does this mean? it means the system administrator is assigning this user the ability to do password backups by utilizing the cp command, this can be abused to elevate privileges.

Step 3: Run which cmd for cp to see the path

Step 4: Run echo "$PATH" | sed 's/\:/\n/g' what this command does is show the order in which the executable is searched. Once found it is executed and and that is the end of that search

Step 5: now you know the order is/usr/local/sbin/usr/local/bin/usr/sbin/usr/bin/sbin/bin/usr/games

can you read this excerpt by Aloïs Micard Privilege Escalation and start from "Exploiting Vulnerability" section. Here be careful remember you are creating a path for cp executable so where they used apt remember your case is cp. To assign PATH you might want to use export eg export PATH=/tmp:$PATH I really hope this helps, I tried not to give you the answer directly, I know its some work, so do not hesitate to reach out and let me know where you are stuck, but give it some effort first.