This is a Linux machine with only Web services enabled, we could upload a webshell by controlling the directory parameter of the upload API endpoint. Then we gain the initial foothold of the system.

Then we discover there is a sudo rule for our initial user which allow it to execute /bin/cp with another user. And there is a ssh service only for localhost, but we could forward it by port mapping. After that we pivot to another user by leveraging /bin/cp to write our ssh public key to authorized_keys. Finally, we get the root shell or read arbitrary file via LOTL(Live off the land) technique. Here is the /bin/man.