@LMAY75 said:
Is it just me or is this a little too guess-y for the foothold
It depends how you did it. For me it was enumeration, find thing, find public exploit for thing, exploit thing, have access, use functionality from access, have shell.
Then it was use creds I’d found during enumeration.
Not sure there was any step there where I had to guess something. I used a custom wordlist at one stage but that isn’t that unusual.