I found 2 open ports, 68 and 69, dhcp and tftp.
And an http server.

This web have a LFI vulnerability.
Using this vulnerability, I was able to read the .htpasswd file.

Now, I can log in the tftp server and upload a php reverse shell.
Now, using the LFI, I execute the php remote shell.
Now, using the credentials who I found in .htpasswd, I can log ass mike and read the user flag.

Mike is inside the lxd group.
Now, I just need to build a lxc image.
Put this image in the machine.
Import the image in lxc.
And create a container mounting all the disk inside it.
Inside this machine, I have root access to all the filesystem.
Here, I can read the flag, but I created a shell outside the container creating a bash binary with SUID perm.
And now, I have the root shell outside the container, this was unecesary, but its more convenient.
