Using nmap, I found ssh and http open.

Using site map, I was able to find a login page.
Here, I found a log page.
Using the option login as guest I can access the page.
After some enumeration, I found a page who allows you to see your user info, including your access ID.

Changing the ID in the URL, I can access the info of admin user.
With this ID, I am able to access as admin user changing the cookies.

As admin I am able to access a page who allows you to upload files into the local machine.
Using this panel, I upload a reverse shell.
And reading the user flag.

Reading the database config file in the php files I found a password who can be used to log as robert.

With find, I found a root binary with SUID activated.
This ELF binary allows me to read local files.
Using a reverse path vulnerability, I am able to read the root flag.
