I am posting this question here due to this "Questions about approaches to penetration testing with Back Track are welcome." from the sticky. I must apologize slightly as I am still not an expert in this field but I have learned a lot. Also, I am doing this post from memory as the IT building is closed for the night and I can't look to see what was open etc...

Objective:
I am a college student majoring in network security. On our lab report is a bonus which is to own a "mystery machine" and read a file that wouldn't normally be accessible remotely.

Network Setup
The mystery machine is one router away and is on the same subnet and dhcp client.

The box:
After hours of scanning and probing we have found:
OS: Back track 2
about 8 ports open.
The vulnerability is PHP based as he is running beef (not set up v.02 i think) and phpmyadmin (2.10.1)
It has apache running v 1.3.3.7
PHP v 4.4.4
tightvnc (could not find exploits for the version he is running and this has a java front end on port 641?)

We have used metasploit v3.2 and 3.3 for over 20 hours in an attempt to get a shell but the exploits have not worked.
Version 3.3 has a bug in it that prevents us from using the php cookie exploit involving zval? (do search -t exploit cookie to find it)

deserialize() is what should be exploitable. I know the config file uses this. Can anyone point me towards an exploit that is sure to work as long as I put in the write stuff. It doesn't have to be metasploit, bash and perl work. PHP scripts however I am not sure how to do yet and that may require a brief explanation as to how to launch.

I thank you ahead of time for any help. This is due by monday and I have tomorrow to work on it before I have to just type up what we have thus far and hope for pitty poitns.

Thanks Again,
~Bil