Read my writeup to Shred machine on
TL;DR
User: Found subdomain checkout.shared.htb with SQLi vulnerability, Using SQLi we get the password MD5 hash of james_mason user, By running pspy64 we found that dan_smith runs ipython from /opt/scripts_review directory (we can write to this directory), Using CVE-2022-21699 we get the SSH private key of dan_smith user.
Root: Found the binary /usr/local/bin/redis_connector_dev, Run it locally and we get the password of redis-cli, Using CVE-2022-0543 we get RCE as root.