Read mt writeup to Usage machine on:
TL;DR
User: Discovered an SQL Injection vulnerability on http://admin.usage.htb/. Using this, we obtained credentials and exploited CVE-2020-10963 to gain a reverse shell as the dash user.
Root: Found a .monitrc file containing the credentials for the xander user. Running sudo -l, we found the binary /usr/bin/usage_management, which backs up the contents of /var/www/html, a directory we have write access to. We created a symlink to the root SSH key in this directory, ran the backup binary, and retrieved the root SSH key.