Things to look: Miss-configured services (cronjobs), incorrect file permissions (exportfs, sudo), miss-configured environment ($PATH), binary with SUID bit, software or OS with known vulnerabilities.
First try simple sudo:
$ sudo su -
What can we run with sudo?
$ sudo -l
Try su as all users and the username as password
What services are running as root?:
$ ps aux | grep root
Look for vulnerable/privileged components such as: mysql, sudo, udev, python
If /etc/exports if writable, you can add an NFS entry or change and existing entry adding the no_root_squash flag to a root directory, put a binary with SUID bit on, and get root.
If there is a cronjob that runs as run but it has incorrect file permissions, you can change it to run your SUID binary and get a shell.
The following command will list processes running by root, permissions and NFS exports.
$ echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
Use netstat to find other machines connected
$ netstat -ano
Command to skip ignored lines in config files
$ alias nonempty="egrep -v '^[ \t]*#|^$'"
If Mysql is running as root, you can run commands using sys_exec(). For instance, to add user to sudoers: