All of initial footlhold and user shell is achieved by port 80/http.
Visiting the website we have a login form and a sign up form. From sign up form we can register a user. And then login. But nothing possible from that. I can signup an admin user by using sql truncation firstname.lastname@example.org. I also add book.htb on /etc/hosts. And then I login on /admin directoy found by gobuster.
Then I use this exploit while I am loged in as admin https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html and then I get id_rsa.
./logrotten -p ./payloadfile ~/backups/access.log but at the same time I give this command :
dd if=/dev/urandom of=access.log bs=1 count=200000