Read my Write-up to Horizontall on:
TL;DR
User: Found subdomain api-prod on one of the JavaScript files, By enumerating the subdomain we found login page of Strapi system, Reset the admin password using CVE-2019-18818 and using the same exploit we write our SSH public key to /opt/strapi/.ssh/authorized_keys directory which allows us to login using our SSH private key to get a shell as strapi user.
Root: Found local service on port 8000 (running as root) which isLaravel system, Using CVE-2021-3129 we write our SSH public key to /root/.ssh/authorized_keys directory which allows us to login using our SSH private key to get a shell as root user.