Thanks tasiyanci for the hints.
Nmap scan ports, 22 and 80.
Open port 80, it's a wordpress site.
Wpscan the site, found some usernames, but no vulnerable plugins.
wpscan --url http://192.168.56.67 -e u,ap,at --no-banner --no-update --api-token my_token --plugins-detection aggressive --force
Generate a dic from the site.
Use wpscan or hydra to bruteforce wordpress login name:pass.
Login wordpress, find gill is a normal user, with no right to modify theme template.
In media folder, find a strange picture, which is not attached.
Download the picture and check strings, find a ssh password for gill.
Login ssh as gill, in home folder, find a keyfile.kdbx.
The file is a keepass2 database, which could be decrypted with keepass2john and john. Buf I tried a lot times and failed. I discussed with author, maybe it's because my linux terminal encoding problem.
So I make a simple bash script to decrypt it, which use kpcli. The time will be more than one and a half hour on my machine, if decrypt with rockyou.txt. Here I just use a shorter dic supplied by the author.
cat /usr/share/wordlists/rockyou.txt |while read line do echo $line out="$(echo $line|kpcli --command='open keyfile.kdbx' 2>&1)" res="$(echo $out|grep 'invalid')" if [ "$res" = "" ]; then echo "The correct password is $line" break fi done
Use keepass2 to open the file, find 6 entry.
Check the root folder of the machine, find a strange folder, which is empty now.
Upload pspy64 and run, find that, each minute, the root runs a script.
In fact, the key.sh is finding some file in /keyfolder, and only one file.
Try to create new file with name from the keyfile.kdbx. Once we get the right name, we'll get a new file.
The root password is in the file. Then we can get root.