From nmap, there are several services opened.

Local Picture

Accessing ftp, I got a text file.

Local Picture

This is the web page.

Local Picture

A Node.js Framework at port 3000, and it seems like we need to provide credential for authentication.

Local Picture

A http login page at port 8000, and it is running Ajanti.

Local Picture

With gobuster, I got some directories and files to access.

Local Picture

I got a credential on config.php.

Local Picture

I found /login at port 3000, and we can access it with the previous credential. I got a JWT. With this JWT, I can get all users information with /users.

Local Picture

Access with /users/<username>, I can further get their password.

Local Picture

I login to /management with Derry’s credential.

Local Picture

Local Picture

In /management/config.json, I got root’s credential.

Local Picture

With root’s credential, I login to 8000 port successfully.

Local Picture

In Ajanti, I can open a terminal as root.

Local Picture

Local Picture