Another interesting machine from HackMyVm, can be download here.
Nmap scan ports, find 22,80,7080 and 8088.
Port 80 is a service named "sar2html".
Port 7080 is OpenLiteSpeed Control Panel.
Port 8088 is a sample site of OpenLiteSpeed.
Search the vulnerability of sar2html.
Use the POC code to get reverse shell.
Find the password of OpenLiteSpeed admin.
Login OpenLiteSpeed control panel.
Search OpenLiteSpeed vulnerability.
'
Check the 2nd vuln which needs Authenticated.
Follow the steps, remember to set the value in red square.
Now we are nobody:root.
Generate a new user with root perm, write to /etc/passwd, su to the new user, done!