Nmap Output:

 

 

Home Page

 

 

Robots.txt

 

 

Here we are given a clue. We can ssh bruteforce the meliodas user we see on the home page.

 

 

We got the password. We can now log in

 

 

We captured User.txt.

 

 

In the sudo -l command output, we see that the user can run the bak.py file with the sudo command.

 

We do not have the authority to change the contents of the .py file. But delete the file and create a new “bak.py” file and add:

 

import pty; pty.spawn("/bin/sh")