This is a Linux machine with only FTP service enabled at first. And then SSH and Web services will open after I knock ports from the secrets which leak by FTP. After that I obtain the user name from web secret and the password for that user within the FTP hidden file, with this credential, I gain an initial foothold on the system.

Then I find a special executable(capsh) with SUID bit set, which could be exploited to get the root shell.