Using nmap, I found 3 open ports, 22, 80 and 443.

Inside the http server, I found a login page.
I can log with the credentials admin:password.
Inside the page, I found what looks like a store.
Inside the code, they talk about a guy called Daniel.
After some enumeration, I found a formulary.
With caido, I see who this form is using XML, and looks vulnerable to XEE.

I confirm the vulnerability sending a request to nc.
And I also confirm who I can read local files.
Including the user flag.
Now, I decide to exfiltrate the process.php code.
Nothing interesting, but using the same technique I was able to exfiltrate a ssh key.
With this ssh key, I log as daniel using ssh.

After some enumeration I found the file Log-Management.
Here, I found an script where I can write.
So, I write a reverse shell in the script.
And I wait for the admin user to execute his script, giving me a administrator shell.
