Read my writeup for Health machine:
TL;DR
User: By redirecting the monitoring URL to the internal port 3000, we discover that it is running Gogs. We also find an SQL injection vulnerability in Gogs, which allows us to obtain the password and salt for the susanne user.
Root: Examining the monitoring health php code, we see that it has the ability to read local files using file_get_contents. We create a new task and modify the monitored URL in the database (the database credentials can be found in /var/www/html/.env) to /root/id_rsa. This gives us access to the root user’s SSH private key.