Canyon

Nmap Scan Result

Shows just three open ports, SSH, SMTP and port 777 which seems to be SMTP as well

Since I am not sure what service is running on port 777 I decide to take a closer look.

A telnet session on the service shows it running OpenSMTPD, though no version number was displayed, it's always a good idea to see if there is any vulnerability for dicovered service

...and yes, we have a winner https://www.exploit-db.com/exploits/48038

As seen above, the exploit is a ruby exploit which means it's available on Metasploit so I fired up metasaploit and search for OpenSMTPD service which returned the same exploit we found online.

Entered the required options, ran the exploit and not ,only did we get a shell but we got logged in as root.

Findint the last FLAG might be a bit tricky as the flag was hidden in the /etc/passwd file. enumerate! enumerate! enumerate!!!