Using nmap I found 2 open ports, 22 and 5000.
In port 5000, I found a Node.js instance.

In this web page I only found a login form.

After some time, I decided to change the form encoded type, by default, uses x-www-form-urlencoded, but also accepts json.
Using this json, I can execute nosql injection to bypass the login form.

This page allows me to upload articles into the server.
The page needs a XML document.

I created a malicious xml document.
And it works.
With this, we can idetify the user admin, but I didn't found keys or credentials, so, it looks like a rabit hole.
After some enumeration I found that this version have a insecure deserialization vulnerability in the function deserialize().
Reading the main.js code, I found that this function is been used.
With a bit more enumeration, I found the unserialized code in the cookie auth.
With this cookie, I delivered the payload with a reverse shell.

Inside the mongodb I found the admin user password.
Admin is a sudogroup user, so, I just used sudo su to get a root shell.
