From nmap, there are ssh and http service opened.

Local Picture

This is the web page.

Local Picture

This is /listfile.php, seems like it executed ls and print out the output.

Local Picture

In pwnbackup.txt, there is an encoded string.

Local Picture

I got the password by decoding it 13 times with base64.

Local Picture

For /browse.php, there is LFI. In /etc/passwd, I got the username charix.

Local Picture

Local Picture

Now, I can ssh to the server as charix. There is secret.zip, it can be unzipped with charix’s password. And there is Xvnc running at port 5901.

Local Picture

I redirect it to local and execute vncviewer with the extracted file as password file.

Local Picture

Now, I am root.

Local Picture