From nmap, there are ssh and http service opened.

Local Picture

This is the web page.

Local Picture

With gobuster, I found other directories.

Local Picture

These are /rename and /torrent.

Local Picture

Local Picture

I used sqlmap to check if there is SQLi in the login page from /torrent.

Local Picture

And there it is, it is running MySQL.

Local Picture

I login as admin with SQLi, and I can edit torrent to upload my stuff. There is a upload directory to access uploaded files.

Local Picture

Local Picture

Local Picture

I create a file test.png, which is a php reverse shell script.

Local Picture

I upload it as a screenshot.

Local Picture

It is right there. But I need to change its extension so that it can be executed.

Local Picture

With /rename, I made the extension to .php.

Local Picture

Local Picture

Access it, I got the reverse shell as www-data.

Local Picture

In LinPEAS, it showed the linux version 2.6.31, and Dirty COW should work.

Local Picture

Local Picture

I executed the script. After that, I can switch to the new user firefart, who had the root privilege.

Local Picture