Just knocked over HIGINI if anyone is interested.
This is basically the approach I took step by step:
1. nmap -> find ports 22+80
2. View source -> find creds 'test' and 'test'. Enter creds but they don't go far. Some page called 'expenses.php' which doesn't exist (useful later :-) )
3. Hit up '/robots.txt'. Find /dev.
4. Download pages -> note obvious LFI from the 'users' cookie. Guess that the same pages in /dev are available in /. Test with ../../../../etc/passwd as the user cookie and the LFI works
5. Using the path /proc/self/fd/2 shows the error log. Note the instance of the 'referer' header being written out - particularly when the expenses.php file can't be found
6. Login in again but this time polluting the referer header with the <?php echo('thisworks!'); system($_GET['cmd']); ?> string set.
7. Reroll the 5th step - note the 'thisworks!' string being printed.
8. Passing in cmd=ls as the query yields RCE.
DB credentials can be found at this point.
Don't see obvious privesc yet.