Read my Writeup to BountyHunter machine on:
TL;DR;
To solve this machine, we begin by enumerating open services – finding the ports 22 and 80.
User: Using XML External Entity (XXE) attack to read the file db.php which includes the credentials of development user.
Root: By running sudo -l we found /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py script, Create a payload to get the root flag from python eval command.