Machine can be download here.
Nmap scan ports.
Scan folders and files at port 80.
Check php version.
Google find CVE exploit.
Use pwn code from https://github.com/neex/phuip-fpizdam.
Get reverse shell.
Login mysql as user root and password from robots.txt.
Get a password for emma.
Now we can log in as user emma via ssh.
In home folder, has a SUID file who.
To get root, we need to use both gzexe and who.
Check the man page of gzexe.That means, when a compressed file runs, it will call gzip, which relies on the PATH.
First, compress /bin/id, then make a fake gzip in /tmp and add /tmp into PATH.
Last step, run who. We get root.