This one…wow. So many credentials that don’t work anywhere!
I really enjoyed the early enumeration, because i felt I was on to something. Especially when I found that one of username/password combinations I had let me make t******s to the system. I thought then I could use that to access something on a port not available to the outside. “I’ve got it,” I thought.
Nope.
It then took me a long time to find where to actually get a foothold. Once I found that page and researched the vulnerability, I could see what needed to happen, but there were a few false-starts getting things properly configured locally. Once I had it working though, I knew exactly where to look. User was then quick.
With root, I saw quickly what I needed to do, and was familiar with the vulnerability, from another interpreter, I just got bogged down in trying to get a certain option to work instead of looking at what I’d already enumerated and trying some other things. @tofurky was a huge help to me at this point.
This was by far the most difficult system I’ve done so far.