Read my writeup to OnlyForYou on:
TL;DR
User: Found vhost beta.only4you.htb. Downloaded the source code and discovered an LFI vulnerability on the /download API. Utilizing this vulnerability, we were able to read the file form.py of only4you.htb and subsequently identified an RCE vulnerability within the email send logic. By exploiting this RCE vulnerability, we successfully gained a reverse shell as the www-data user. Furthermore, we came across local ports 8001 and 3000 (Gogs). We managed to log in to the web portal on port 8001 and extract the password hash for the user john using a neo4j query injection.
Root: After running sudo -l, we discovered that we have the ability to execute pip download as the root user. Leveraging this privilege, we created a malicious Python package with a reverse shell embedded in the setup.py file. Next, we uploaded this package to Gogs and proceeded to install the malicious Python package as root. As a result, we successfully obtained a reverse shell as root.