Using uniscan, I find a promising LFI link.
Visiting the link I see some juicy information.
Obviously this is a great start, however, I navigated to "/admin.php" and found a very promising SQL error after trying basic injection techniques.
I wasted more time than I'd like to admit trying to leverage this. Trying everything I can think of in sqlmap, I couldn't seem to find any way to exploit this (the reason becomes clear later on).
Moving on with the /etc/passwd file, I see an interesting script associated with the "backup-user" account that might lead to something.
I view the script using the same link I used for /etc/passwd.
It looks like this script creates a tar backup of the /home and web root directories and puts it in reach of a tftp server. I connect to the tftp server and download the tar file and extract it.
Looking in paul's directory, I see SSH public key files.
Logging in with id_key4 I get a "pdmenu" shell.
From here, I select "Edit file" and create a php reverse shell file and place it in paul's home directory.
Then I once again use the LFI and execute the new php file and get a reverse shell.
At this point, my number one concern was figuring out why my SQL injection efforts were futile. Viewing the "admin.php" source code, I can see I was duped.
Moving on, I dirty COW my way to root and find the flag.
This was an enjoyable VM that gave me flashbacks to working in the OSCP labs which is always something I'm looking for!