Badger
Nmap Scan Result
The nmap scan shows several interesting open ports but the RPCbind (truncated) on port 111 looks most interesting..
using RPCinfo tool, it was possible to see that NFS (Network File System) service running
Mounted the filesystem ""nfsroot" locally to "/tmp" and was able to read internal note which contains a base 64 encoded strings
The decoded string happens to be SSH login credential of user "jessy" and I was able to login successfully on the SSH service.
Privilege Escalation
Using Linpeas. The below PE vector "no_root_squash" was observed. see here for more info regarding no_root_squash
I initially copied my "/bin/bash" program to the mount location "/mnt/nfsroot". Then Mounted NFS service to "/mnt/nfsroot" locally. I then created a python script that change the "bash" program's owner and group to root and also set the SUID bit as well as make it executable.
