Read my writeup to Pilgrimage machine on:
TL;DR
User: Discovered the presence of /.git on the main website, utilized git-dumper to clone it, and identified the application’s utilization of magick for image conversion. Leveraged CVE-2022-44268 to exploit a Local File Inclusion (LFI) vulnerability, thereby gaining access to the SQLite database. Extracted the password of emily from the database.
Root: Identified that the user root executes a script and employs the utility binwalk. Exploited the vulnerability CVE-2022-4510 to establish a reverse shell.