Read my writeup to Agile machine on
TL;DR
User 1: Discovered a Local File Inclusion (LFI) vulnerability on the Export API. Additionally, detected the presence of a debug console on the error page. By successfully cracking the Flask Werkzeug console PIN, gained access as the www-data user and established a reverse shell. Furthermore, uncovered database credentials and retrieved the password for the corum user.
User 2: Identified the presence of Chrome remote port debugging. Leveraged an SSH tunnel to access this port and encountered the SuperPassword page. Upon clicking on Vault, discovered the credentials associated with the edwards user.
Root: Executed sudo -l command and discovered that we have the privilege to run sudoedit as the dev_admin user. Carried out monitoring using pspy64 and identified that the file /app/venv/bin/activate is executed by the root user. Noted that the dev_admin user has editing permissions for this file. Exploited the vulnerability CVE-2023-22809 to modify the contents of the file /app/venv/bin/activate, thereby gaining a reverse shell with root privileges.