Scan port 80.
Find a login page at /login.
Check source code, find a hint. From the hint, we know username and maybe the page has LFI.
Check LFI with burpsuite.
Get carls.txt, decode base64 get ssh password.
Ssh in as carls, sudo to user carlos.
Check sudo, we can run DoNotRun.py at home folder.
Although we do not have write permission of the file, but we have write permission of fold /home/c0ldd.
So we can del the file, and create a new file with shell code.
Here is a trick. Take care the file name.