Badger

Nmap Scan Result

The nmap scan shows several interesting open ports but the RPCbind (truncated) on port 111 looks most interesting..

using RPCinfo tool, it was possible to see that NFS (Network File System) service running 

Mounted the filesystem ""nfsroot" locally to "/tmp" and was able to read internal note which contains a base 64 encoded strings

The decoded string happens to be SSH login credential of user "jessy" and I was able to login successfully on the SSH service.

Privilege Escalation

Using Linpeas. The below PE vector "no_root_squash" was observed. see here for more info regarding no_root_squash

I initially copied my "/bin/bash" program to the mount location "/mnt/nfsroot". Then Mounted NFS service to "/mnt/nfsroot" locally. I then created a python script that change the "bash" program's owner and group to root and also set the SUID bit  as well as make it executable.