Another interesting machine from HackMyVm, can be download here.
Nmap scan ports, find 22,80,7080 and 8088.
Port 80 is a service named "sar2html".
Port 7080 is OpenLiteSpeed Control Panel.
Port 8088 is a sample site of OpenLiteSpeed.
Search the vulnerability of sar2html.
Use the POC code to get reverse shell.
Find the password of OpenLiteSpeed admin.
Login OpenLiteSpeed control panel.
Search OpenLiteSpeed vulnerability.
Check the 2nd vuln which needs Authenticated.
Follow the steps, remember to set the value in red square.
Now we are nobody:root.
Generate a new user with root perm, write to /etc/passwd, su to the new user, done!