Read my writeup for Ambassador machine on:
TL;DR
User: Exploiting a vulnerability (CVE-2021-43798) in the Grafana software, we were able to obtain the database and admin web credentials. Using these credentials, we were able to access the MySQL database and retrieve the developer user’s credentials.
Root: By discovering the whackywidget application directory on the /opt/my-app/ path, rolling back to a previous Git commit to obtain the consul token, and utilizing the consul_service_exec module in Metasploit, we were able to achieve remote code execution with root privileges.