First off, let me say that this was a very cool box.  The description says "easy / intermediate" but I really think that depends on your set of skills.  I could see how someone could get stuck at a certain point and I think if that's the case, I can point you to something else I've written which should help clarify what you're dealing with and how to get past the obstacle.  I don't want to spoil too much at this point so let's just start off like we normally do.

We kick off with an Nmap scan:

I'm playing around the other day and I find what looks to be a server which is vulnerable to Local File Inclusion (LFI).  I used to work for a company a long time ago and when something would break, I would declare:  "Bad code".  LFI is bad coding or perhaps I should say that it's a short sighted developer who doesn't anticipate the harm that can be caused by calling a file directly with something like:  http://example.com/index.php?file=SOMEFILENAME

Seems harmless enough until someone comes along and decides to change the url to:  http://example.com/index.php?file=/etc/passwd 

Now all of the sudden -- it doesn't seem all that harmless.  So that pretty much gets you up to speed and I assume that if you were searching for WAF Bypass, you already know this and probably more.  So as I said, I'm playing around and I discover:

You’ve run your Nmap scan and you found the open web port. From the open web port, you’ve worked your way into the system and you have a low privilege shell. Now what?

The enumeration process starts all over again.

There are more than a few privilege escalation scripts as well as written documents that will aid in this process but only if you’re familiar with the operating system. If you’re hunting for that needle in the haystack but you don’t know what a needle looks like, how will you find it?  Recognizing that needle will come with time and I’m not trying to say you shouldn’t use those scripts.  Do use them but realize it could be overwhelming until you’re a bit more seasoned.