From nmap, there are ssh and http service.

Local Picture

This is the web page, it uses magento.

Local Picture

And we can create an account.

Local Picture

There is an admin login page.

Local Picture

I search magento using searchsploit.

Local Picture

I tried to use this python script.

Local Picture

And now, we can login to the admin page using credential forme:forme.

Local Picture

Furthermore, I used another python script, which needs our admin credential forme:forme, and I can do RCE as www-data.

Local Picture

I opened a reverse shell. With sudo -l, I found that I can run /usr/bin/vi /var/www/html/* as root.

Local Picture

So, sudo /usr/bin/vi any file in /var/www/html, and type :!/bin/sh to escape. Now, I get a shell with root privilege.

Local Picture

Local Picture