Finally rooted! Initial foothold was rather circuitous and there were many blind alleys to go through - it took me days to get the initial shell while root took only about 1-2 hours.
Foothold: Once you’ve found the H** that everyone is referring to, the fun begins here. At first, I had to sieve through the many vulnerabilities and decide which to use. In the end, I only relied on what was already available in a certain framework in my attacking box. I suspect there are multiple routes to get to the first web shell. I went the not-so-disruptive way but would be interested to hear of alternative methods that chains vulns together in different ways.
User 1: You might have found something previously which would help.
User 2: It’s a service related to the name of the box.
Root: Blue whale and something special about user 2. There could be slight variations in the root approach. I stumbled for a while before I realised I had to check on images before I could proceed.