This is a Linux machine with FTP, SSH and Web services there, but anonymous login is disabled for FTP. Fortunately, through web directory enumeration, we discovered a hidden_text file that provided us with a custom wordlist. Using this wordlist for a second scan, we found the FTP service credentials in a leaked pwned.vuln file.

With these credentials, we obtained ariana's SSH private key and gained an initial foothold on the system. By reviewing this user's sudo rules, we discovered that command injection could be exploited to pivot to the user selena. Since this user belongs to the docker group, we were able to mount the system's root directory into a container and utimately gain root privileges.