I really enjoyed this box and learnt some valuable lessons along the way. Many thanks to @lkys37en for a great learning experience.
Initial foothold:
Enumeration was the key, upon discovering the right area you can search for a new bicycle tire (perhaps yours had been punctured?).User:
Using a common method should reveal some interesting information. Something you see can guide you on the right path but you must go out of band and understand how to respond to the situation. If you get lucky with your research (as I did) a familiar four legged friend (with the help of a little bird) can show you the way. I imagine this was intended(?) and if so was a great lesson concerning the importance of reconnaissance.After obtaining the desired information hashcat is your friend and you can use the result to access a different service. There are plenty of guides about how to access the service online and don’t be discouraged if your login attempts fail at first, you just need to deal with the how the creds need to be entered.
Admin:
Once in, the clue needed for privesc is in front of you.I wanted an admin reverse shell using the exploit as I wanted to practice some evasion techniques. It is indeed helpful (although not strictly necessary) to have a windows VM available for testing if you do this and some trial and error with different tools may be required. https://developer.microsoft.com/en-us/windows/downloads/virtual-machines.
I read that some people managed to achieve privesc without uploading anything. If anyone who did this is willing to share please could you DM me. If anybody wants to discuss techniques or needs a sanity check then I’m happy to help in DM. I hope there are no obvious spoilers in the above but if you have got this far into the thread then most of what I have said has already been covered.