Using nmap, I found a ftp, ssh and http services open.

FTP server have the anonymous user enabled.
Here, I found a backup file
I upload the zip in my local machine, but, to unzip it, I need a password.

Using zip2john, I extract the hash.
Now, I use john to crash the hash.
With this, I am able to unzip the backup file, where I found a md5 hash harcoded.
Using john again, I am able to obtain the password.

The main page is a login formulary, where I can log using the credentials I obtained in the last step.
Here, I found what looks like a car list.

This page is vulnerable to SQLI
Now, I use SQLmap to obtain a shell.
Using this shell I am able to read the user flag.

Reading the php files, I found another password harcoded.
With this password, I was able to found that the postgres user can use vi as sudo using sudo -l.
With this, I can execute a shell ass root.
