For me, the foothold wasn’t too tough, but a failure during the enumeration killed about 6 hours of my time. See, when I enumerated, the tool I used told me that a certain thing was inaccessible, so I never tried to further enumerate it. Thus, even though I had found the CVE, and had seen what -s********* could do, I was stuck. I had not found the much discussed binary or the username. Much thanks to @cre4k on discord for encouraging me to go back and check that unreadable thing again; I honestly didn’t know if I was missing something obvious (I was) or had a fundamental misunderstanding of what was going on.
Once I went back and checked that, and found out what was hiding there, the foothold was just trial-and-error and some handwaving, and everything after that was quick.
So I guess the lesson is, if you’re stuck, go back and re-enumerate just to see if anything comes up different the second time around.