Type your comment> @r1cin said:
Can anyone DM me on root? I’m testing my exploit locally, it’s running well but I’m not getting root - only normal user.
You need an extra step in your chain, if you have popped the Shell as regular user It should be trivial to add this extra call, just before invoking the Shell you need to explicitly set the user id you want.
Just look man for this c function to locate its signature, pop the arguments, call this function in second step ( instead Shell call) return to main again and this time the Shell call and you’ll get your privileged shell