Introduction Target: 10.10.10.25(Linux) Kali: 10.10.16.65 Holiday is an insane box officially. It’s really difficult to get the user permission. The most difficult part should be how to pass the XSS filter. It may need a lot of time. And the root privesc is based on the exploitation of npm install which is relatively fresh. Information enumeration As usual, use nmap to detect open ports and related services: nmap -A 10.