Read my writeup for Static machine:
TL;DR
User: On robots.txt
file we found two URL’s [/vpn] and [ftp_uploads], Download db.sql.gz
file from the FTP, Fixed the corrupted file using fixgz
, On the fixed file we found the hash of the admin credentials to [/vpn] portal, Create OTP and log in as admin to the [/vpn] portal, From the VPN portal we download the web.ovpn
file, Using that, We can access to the [web] website, Found file info.php
which lead us to PHPInfo page, We found there Xdebug
PHP extension which leads us to RCE, Using that we get a user www-data
shell.