From nmap, there are some services opened.

This is the web page.

With all ports scanning in nmap, I got other ports opened.

There is RSIP service. I tried to connect to it as root, and it worked. I list users, and reset every users' password to “password”.

And then, I used thunderbird to access their mailboxes. There is a credential for mindy in her mailbox.

I connect to ssh as mindy, and found that I’m in a rbash environment.

Reconnecting by executing bash, and I got a well-functioning bash.

With pspy, I got that root runs /opt/tmp.py every 3 minutes. I rewrite it to give me a reverse shell.

Three minutes later, I got the reverse shell as root.