No RFI so log poisoning is an option however looking at the listfiles.php file gives us a few other things to look at:
Checking out this file gives us a password which is encoded 13 times
A little bit to CTF for me but we will carry on.
Once we had decoded the password we used it to login via ssh, i am sure a decent for loop or python script would have been easier than
In the users home dir was a secret.zip file so we downloaded that locally with nc and extracted the hash for cracking and while we waited we tested the existing password we had found
No idea at this point what this file does so keep enumerating the system, does not seem to work for anything like ssh keys etc..
Looking at the running services we see that root is running an xvnc service
So map the port locally with ssl -L and try to connect:
Try to login with xvncviewer and all the passwords you have:
No luck
Check the help file for other options
Try with the secret file we downloaded earlier:
Now you get a root shell via xvnc quite a fun way to pop the machine
This is not ideal so generate a reverse shell with php and set up a listener on port 444
Now you have a reasonably stable root shell to capture the flag and save you typing it out.