80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
User can execute perl as root.
Webapp reveals little and nothing hidden in the image.
Dirb revealed only cgi-bin and considering the name we need to look for a script of some sort to see if it is vulnerable to shellshock, common ones include .sh
Run a dirb scan in cgi-bin looking for files with the extension .sh to see if we can find any files.
User.sh was found.now we need to test it for shellshock.
Copy to local dir and send the command as follows:
Looking for privesc opportunities we see that we can run perl as a root user.
Copy a perl rev shell to current dir and modify as follows
Upload to the target and execute while listening on port 445:
Now you should receive a reverse root shell so collect the flag.