From nmap, there are some services opened.

Local Picture

This is the web page.

Local Picture

With all ports scanning in nmap, I got other ports opened.

Local Picture

There is RSIP service. I tried to connect to it as root, and it worked. I list users, and reset every users' password to “password”.

Local Picture

And then, I used thunderbird to access their mailboxes. There is a credential for mindy in her mailbox.

Local Picture

I connect to ssh as mindy, and found that I’m in a rbash environment.

Local Picture

Reconnecting by executing bash, and I got a well-functioning bash.

Local Picture

With pspy, I got that root runs /opt/tmp.py every 3 minutes. I rewrite it to give me a reverse shell.

Local Picture

Local Picture

Three minutes later, I got the reverse shell as root.

Local Picture