Overview

The machine starts by Simple enumeration that discovers a vhost hosting flowise service, finding a way to enumerate user and resetting password for one of those users gives us an access to the service this service is vulnerable to RCE that leads to a shell inside a docker container with a password leaked in the environment variables we get SSH access finding another vulnerable service running locally that can get us shell as root

Enumeration

we start with normal nmap scan and we got two ports open HTTP and SSH