Read my writeup for Spider machine machine on:
TL;DR;
User: Playing with the registration of the website and examining the cookie, Use STTI Attack on username field, Get SECRET_KEY and use it to sign a session cookie, Using Flask-Unsign to create malicious cookies and discover SQL Injection Using sqlmap, Getting Chiv’s password from sqlmap then logging into the web portal, On the portal, we found a message with a link to another portal with submitting ticket option, From that, we can use STTI-Server-Side-Template-Injection to get a reverse shell.
Root: Found local port 8080 with shopping portal, Using SSH tunnel to setup a port forward which allows us to hit 127.0.0.1:8080 on the remote host, Using XXE injection on login/logout fields to read files, Grabbing the SSH key and logging in as root.