Read my write-up to Photobomb machine:
TL;DR
User: Locate the credentials for the /printer endpoint in the HTML source code. Utilize command injection on the image download request’s filetype argument to obtain a reverse shell.
Root: Executing the command sudo -l reveals that the script /opt/cleanup.sh can be run as the root user and the environment variables can be altered. Upon examining the script, it is observed that the find command is not executed with its full path. Taking advantage of this, we craft our own find command and gain a reverse shell as the root user.