From nmap, there are ssh and http service.

Local Picture

This is the web page.

Local Picture

With gobuster, we found that there is a /support/ directory, which is running HelpDeskZ.

Local Picture

I search helpdeskz with searchsploit, and found an arbitrary file upload python script.

Local Picture

It is actually a script to find where our uploaded file located.

Local Picture

We can upload our php reverse shell from this page.

Local Picture

Using the script, we can find our file.

Local Picture

We get a reverse shell as user help.

Local Picture

Take a look at .bash_history, there is a string rOOTmEoRdIE. I tried it as the password for su -, but it fails.

Local Picture

The password is actually RootMeOrDie, and we are root.

Local Picture