Need help exploiting Linux

I am a newbie at this and I am stuck, I am hoping I can get some advice; my situation is I have a laptop running vmware on Windows 7, my 3 virtual machines are Linux, my objective is to obtain the root password on my 2 of my Linux VMs, where I am stuck at is how to break in and obtain a shell prompt at least thats what I think I need to do:

I tried many exploits with metasploit to the listener ports open but to no avail;
I tried running an exploit to run a netcat command to open a shell but no sessions created on metaspoit:

I want to figure this out myself but its obvious I need some guidence. I hope some one can help me.

Thanks in advance. gunman

Here are my nmap result on machine 200:

Discovered open port 110/tcp on 192.168.1.200
Discovered open port 111/tcp on 192.168.1.200
Discovered open port 993/tcp on 192.168.1.200
Discovered open port 143/tcp on 192.168.1.200
Discovered open port 443/tcp on 192.168.1.200
Discovered open port 22/tcp on 192.168.1.200
Discovered open port 21/tcp on 192.168.1.200
Discovered open port 23/tcp on 192.168.1.200
Discovered open port 199/tcp on 192.168.1.200
Discovered open port 80/tcp on 192.168.1.200
Discovered open port 995/tcp on 192.168.1.200
Discovered open port 109/tcp on 192.168.1.200
Discovered open port 32770/tcp on 192.168.1.200
Discovered open port 7/tcp on 192.168.1.200
Discovered open port 79/tcp on 192.168.1.200
Discovered open port 6000/tcp on 192.168.1.200
Discovered open port 32768/tcp on 192.168.1.200

PORT STATE SERVICE VERSION
7/tcp open echo
21/tcp open ftp vsftpd 1.1.3
22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 1024 2d:db:ed:2f:1c:0b:90:8f:32:bd:d5:76:79:6d:7f:6e (RSA1)
| 1024 79:99:86:f3:25:35:e8:34:c2:ae:2e:f3:75:88:14:12 (DSA)
|_1024 02:e1:de:15:37:36:f6:e0:16:07:c2:e8:05:4e:4f:77 (RSA)
23/tcp open telnet Linux telnetd
79/tcp open finger Linux fingerd
|_finger: No one logged on.

80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux))
| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
|_html-title: Test Page for the Apache Web Server on Red Hat Linux
109/tcp open pop2 UW POP2 server 2001.63rh
110/tcp open pop3-proxy PGP Universal pop3 proxy (Proxied greeting: POP3 [192.168.1.200] v2001.78rh server ready)
|_pop3-capabilities: OVID STLS OK(K Capability list follows) UIDL USER LOGIN-DELAY(180) TOP SASL(LOGIN PLAIN)
111/tcp open rpcbind 2 (rpc #100000)
143/tcp open jdwp
|_imap-capabilities: IMAP4rev1 AUTH=LOGIN IDLE AUTH=PLAIN OVID STARTTLS
199/tcp open smux Linux SNMP multiplexer
443/tcp open ssl/http Apache httpd 2.0.40 ((Red Hat Linux))
| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
|_sslv2: server still supports SSLv2
|_html-title: Test Page for the Apache Web Server on Red Hat Linux
993/tcp open ssl/imap UW imapd 2001.315rh
|_sslv2: server still supports SSLv2
|_imap-capabilities: LOGIN-REFERRALS IMAP4REV1 AUTH=PLAIN SCAN THREAD=REFERENCES MAILBOX-REFERRALS SORT AUTH=LOGIN THREAD=ORDEREDSUBJECT IDLE NAMESPACE MULTIAPPEND
995/tcp open tcpwrapped
|_pop3-capabilities: OK(K Capability list follows) UIDL LOGIN-DELAY(180) USER TOP SASL(PLAIN LOGIN)
6000/tcp open X11 (access denied)
32768/tcp open status 1 (rpc #100024)
32770/tcp open mountd 1-3 (rpc #100005)
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.35 (likely embedded)

Here are my nmap result on machine 73:
Discovered open port 22/tcp on 192.168.1.73
Discovered open port 111/tcp on 192.168.1.73

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 85:62:1b:9c:3c:36:bb:41:2d:64:6a:4b:e1:aa:9f:07 (DSA)
|_2048 f9:19:f1:a0:f5:33:80:90:33:07:f9:9f:21:2f:fb:7f (RSA)
111/tcp open rpcbind 2 (rpc #100000)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.28

 

This exercise is for my CPT cert, I would appreciate a hint if metasplot is the right direction or not, or should I pursue another route. FTP, TELNET etc.