Read my writeup to MonitorsTwo on:
TL;DR
User: Found Cacti Version 1.2.22 and used CVE-2022-46169 to acquire a reverse shell as www-data. Discovered the SUID file capsh and gained a root shell inside the container using capsh --gid=0 --uid=0 --. Found the /entrypoint.sh file containing the database (DB) credentials. Identified the hashed password of marcus in the DB. Successfully cracked the hash using john and employed the obtained password to establish an SSH connection as marcus.
Root: Based on an email received from administrator@monitorstwo addressed to marcus it is indicated that the vulnerability CVE-2021-41091 was exploited to obtain a root shell.