Read my writeup for Noter machine on
TL;DR
User: Found the JWT secret key using flask-unsign, Sign a new JWT token of blue user, and Found the FTP password of blue user from the notes, According to the password policy we found the FTP password of ftp_admin user, From the application backup file we can see the application uses md-to-pdf, Use CVE-2021-23639 to get RCE.
Root: Found the root MySQL credentials on the application backup files, Using the root credentials we load a new UDF function to get RCE as root.