From nmap, there are several services opened.

Accessing ftp, I got a text file.

This is the web page.

A Node.js Framework at port 3000, and it seems like we need to provide credential for authentication.

A http login page at port 8000, and it is running Ajanti.

With gobuster, I got some directories and files to access.

I got a credential on config.php.

I found /login at port 3000, and we can access it with the previous credential. I got a JWT. With this JWT, I can get all users information with /users.

Access with /users/<username>, I can further get their password.

I login to /management with Derry’s credential.

In /management/config.json, I got root’s credential.

With root’s credential, I login to 8000 port successfully.

In Ajanti, I can open a terminal as root.