There's a directory traversal vuln.

Once you get the hash, crack it with crackstation, bypass the traffic with burp to login.

to get a rev shell, schedule a task (go to mapping to get a path), and post jsp rev shell.

If the directory listing is disabled, do curl to execute the rev shell.