Rooted the box.
What worked for me:
- Using the API for brute-forcing the password. If you know anything about web apps vs. REST APIs you know why.
- Using the API for exploiting the vulnerability. I couldn’t get the payload to work using the known exploit. After some frustration, I wrote my own script that took my remote command as an input, and allowed me to execute the exploit using the API. Worked right away! After completing the box I think I know why the REST API was a better path.
- I went wd → root. Basic enumeration showed something that could easily be exploited for priv esc.
DM if you need a nudge.