Read my write-up for Previse machine on:
TL;DR
User: Running gobuster and found acounts.php page, Using that we can create a new account, From the web portal we download SITEBACKUP.ZIP file which contains the code of logs.php, By reading the code we found RCE on delim parameter and found also DB credentials on config.php file. Using the RCE on logs.php we get a reverse shell as www-data, Cracking the hash of m4lwhere user which takes from DB and login as m4lwhere user.
Root: By running sudo -l we found /opt/scripts/access_backup.sh, Because we have permission to change the PATH we just create our custom date command to get a reverse shell as root.