Port enumeration

Using nmap I found 2 open ports, 22 and http. 3808b37445cff6dc43b49ef6bb46d550.png

Web enumeration

Using wappalyzer i found who the page is using the Express framework. 4641202c7187add283953fd9b0871648.png

SSTI

When I execute the clasic SSTI payload, I got an error. 3088b129eaadaa7cb5676b97e6e99b4e.png After a fast research, I found a RCE payload for this template engine. bbf5616784bcea778d168ca6d1d56577.png I need to edit the payload to import manualy the module. 4959c9a22008fa302f8e807addfb3b50.png With this, I can execute code, but I can't see the response. 99a81c7fd6369d7685a113377c6a9a5a.png So, I execute a reverse shell and read the flag. e9236350f7df30cfbeb2bd1c9b5e85e7.png