From nmap, there are ssh and http service opened. With gobuster, we can see two more directories.

Local Picture

This is the web page, and the upload page for xml.

Local Picture

Local Picture

Create a test.xml and upload.

Local Picture

Local Picture

Local Picture

There could be a XML External Entity Injection (XXE Injection). Create exploit.xml to get the ssh key.

Local Picture

Local Picture

I connect to ssh with this key, and found another rsa private key.

Local Picture

Local Picture

However, it did not work for root or git.

Local Picture

Take a look at git log in /work/blogfeed, key is mentioned in one of the commits.

Local Picture

Local Picture

Local Picture

I got another key from that commit. It can be used to connect to ssh as root.

Local Picture