Chocker

Nmap Scan Result

Used Metasploit Auxiliary module (scanner/smtp/smtp_enum) to enumerate SMTP users, after finnding user, I create a user name wordlist off it.  

Bruteforced the POP3 mail server with userlist and and rockyou.txt but no luck, then, I decided to use the username as password and hit jackpot with "operator" 

Connect to the mail server with the found credentials via Telnet and found a mail in inbox containing password

Used the credential to successfully login into SSH

Privilege Escalation

checked operator's .bash_history and found a python script called time_teller (also note the time_teller_executer) which has SUID it set) owned by root, it's a simple program that prints the current time but imports the "OS" module. this might be a potential for  Python Library Hijack. 

Usually, library hijack means we would change the location the os module is being imported from but in the case I noticed the OS.py file is writeable. Hence, I can just append my reverse shell code to the end.

Run the time_teller_executer after adding the python reverse shell to the os.py file while listening with netcat and get a shell as root.