You've substantially changed the post since I read it. Since I can't expect you to provide anything to cite, I will remember in future to cite third party screenshots, as is done for Andy Schlafly, the Awful Poo Lady and other people who try to put their mistakes into the memory hole.
When I read it, your post listed several "and then we wait for the user to enter the root password" type tricks. These can't be sped up using someone else's code, you can only wait for the user to fall into your trap. This might happen in a few minutes, a few days or never at all. There are obvious scenarios where it simply can't work (not to mention you seemed to embarrassingly forget how SSH does its thing)
But the current version of the post is more circumspect, retracting some such examples entirely and replacing others with vaguer claims. I, of course, only found this out when I went back to quote some of the relevant bits and found they were gone.
[ It is generally a truism in security research that flaws only get worse. So imagine my surprise to discover that while yesterday Brad had found 20 out of 35 capabilities to be root-equivalent, today the same code has only 18 root-equivalent capabilities. By the time you read it may be even less ]