From nmap, there are some services opened.
This is the web page.
With all ports scanning in nmap, I got other ports opened.
There is RSIP service. I tried to connect to it as root, and it worked. I list users, and reset every users' password to “password”.
And then, I used thunderbird to access their mailboxes. There is a credential for
mindy in her mailbox.
I connect to ssh as
mindy, and found that I’m in a rbash environment.
Reconnecting by executing bash, and I got a well-functioning bash.
pspy, I got that root runs
/opt/tmp.py every 3 minutes. I rewrite it to give me a reverse shell.
Three minutes later, I got the reverse shell as root.