After gaining a shell as a low-privileged user (often www-data or tom ): Check for binaries that can be run as root.
Because the unzipping process often runs with high privileges (or as a user with write access to the webroot), you can create a malicious zip file containing a symbolic link . FUNHXX17.zip
The machine runs a background cron job or script that automatically processes/unzips files placed in certain directories (like /var/www/html/uploads or the FTP upload folder). After gaining a shell as a low-privileged user