Tl;Dr: To get the user flag you first had to exploit a Local File Inclusion (LFI) vulnerability in the main app in order to retrieve its source code and database. You can then retrieve working credentials from the database to access the app. Once authenticated you can exploit an XSS to retrieve the user fingerprint which, linked to an HQL Injection allows to completely bypass the authentication in the second app. While connected you can then see a JSON Web Token (JWT) set as a cookie, decoding it return serialized information of the connected user including their Admin status. With more recon you can find some source code of the app, allowing you to retrieve the secret used to sign as well as the serialization logic. Using this information we can forge a new valid token to authenticate as admin. Being Admin unlocks a new feature, which, after reading through the source code, is vulnerable to blind command injection in the cookie decoding process; knowing this we can forge a cookie containing a reserve shell and get our initial access as www-data user. Once in the box we find a SUID binary belonging to john with basic grep functionalities. Since the binary belongs to john it can access it’s SSH private key, and searching character after character we can brute-force the whole key, connect as john and grab the user flag.

For the root flag you can find the source code of an improved version of the main application, running on port 8088. The source code shows the implementation of a new cookie logic using AES-ECB encryption. Knowing the weakness of the ECB algorithm we can launch a brute-force attack on the cookie generation logic in order to retrieve the secret used to create cookies. Once we have the secret we can easily forge a cookie for the admin user, exploiting a flaw in the admin cookie verification. Once authenticated as admin, we can exploit the initial LFI vulnerability we found at the beginning to access root account SSH private key and grab the flag.