If memory serves, I got creds for a machine where the git user was able to run `git diff` with setuid, so you could abuse the pager to escape into an elevated shell.