"initctl allows a system administrator to communicate and interact with the Upstart init(8) daemon. When run as initctl, the first non-option argument is the COMMAND. Global options may be specified before or after the command. You may also create symbolic or hard links to initctl named after commands."
-This is a picture of a user who has the /sbin/initctl vuln
-link 1 has the best details on how to execute this priv. escalation.
-key things to remember from this method is that you need to find a service that is not in use. Find the config file for the service in /etc/init and delete (almost) everything. You put in your own bash code that bumps the privilege up to root.