Read my writeup for Inject machine on:
TL;DR
User: Discovered a Local File Inclusion vulnerability on the image upload feature, which led to the discovery of a pom.xml file that revealed a vulnerable version of spring-cloud-function-web with CVE-2022-22963. Exploited the vulnerability to gain a reverse shell as frank. Found phil’s credentials in the settings.xml file on the /home/frank/.m2/ directory.
Root: Observed a scheduled task running on the target machine which removed the contents of a directory /opt/automation/tasks/ and copied the original file playbook_1.yml from /root. Found an Ansible playbook in /opt/automation/tasks/. Uploaded a new playbook that created an SUID of /bin/sh as root.