From nmap, there are ssh and http service opened. With gobuster, we can see two more directories.
This is the web page, and the upload page for xml.
test.xml and upload.
There could be a XML External Entity Injection (XXE Injection). Create
exploit.xml to get the ssh key.
I connect to ssh with this key, and found another rsa private key.
However, it did not work for
Take a look at git log in
/work/blogfeed, key is mentioned in one of the commits.
I got another key from that commit. It can be used to connect to ssh as root.