From nmap, there are ssh and http service opened.

Local Picture

This is the web page.

Local Picture

With gobuster, I got some directories and .php files to look for.

Local Picture

Local Picture

This page is interesting. I got its source code by exposing itself. It is running curl in the background.

Local Picture

Local Picture

I create a reverse shell script rev.php, and open a web server for accessing.

Local Picture

Later, I expose this file and concat with -o to save the file in /uploads/rev.php.

Local Picture

When accessing it, it said 403 Forbidden, but I got the reverse shell as www-data.

Local Picture

Local Picture

There is a strange SUID binary screen-4.5.0. I found that there is an exploit for this version.

Local Picture

Local Picture

Local Picture

Prepare the files, and download them to the victim server.

Local Picture

Local Picture

When all is done, execute the script, and we are root.

Local Picture