you can download it here:

use nmap to discover the target


check port 80, and stucked for very long time.

notice that there is only one dynamic page with /thankyou.php?firstname=asdf&lastname=asdf&country=australia&subject=asdfasdf, tried sqli but failed.
finally find the hint from the author:
seems like there is a local file inclusion in thankyou.php



so I can visit / (asdfasdf is the php eval function, windows defender is killing it, so…), and this entry will be written down to nginx access log, then include the nginx access log, lead to lfi


get a reverse shell:


now I have a low privilege shell, need to escalate privilege to root.

stucked here for some time, tried several exploits but not working, decided to see what can I do with suid file


noticed that screen-4.5.0 can be used to escalate privilege, exploit available here: