Rooted.
Some hint:
user: like a web pt, there is a classic web vulnerability that you exploit with a known tool in which you can create an os-shell,after then you must study a python script and with a google search (shell escape) you bypass forbidden character;
root : with a classic enumeration tool you find the way; use enable with absolute path and you must sure that your service/script have execution permissions.