From nmap, there are ssh and http service.

Local Picture

This is the web page.

Local Picture

From nmap, we can see that it runs nostromo 1.9.6, so I search it with searchsploit. There is a RCE python script.

Local Picture

With that RCE script, we can get the reverse shell as www-data.

Local Picture

I don’t have permission to access david’s directory.

Local Picture

From /var/nostromo/conf/nhttpd.conf, it seems that there is a directory /home/david/public_www/.

Local Picture

Go to /home/david/public_www/protected-file-area/, there is a .tgz file.

Local Picture

Unzip that file, I got id_rsa in .ssh, and got the passphrase hunter with John the Ripper.

Local Picture

Now, I can ssh as david. In /bin/, there is a bash script. It runs journalctl with sudo.

Local Picture

I run the same command, and type !/bin/sh, now I got a shell as root.

Local Picture