Just wanted to say thank you to @askar .
This was definitely not an easy box for me.
The user took me 2 days ( 4 hours each probably) and I was on the right page pretty fast.
During this time I learned a lot about PHP LFI/RCE and that nmap actually has very nice
scripts for all kinds of services enumeration (including very needed information about our Brazilian dance 
The root was really quick mostly because others are exploiting the same vulnerability and
not bothering to cleanup afterwards
Thanks a lot for the frustrating and fun couple of days