As usual, it was an opportunity to learn a bit more about certain technologies. My 2cents:
- Foothold: the vulnerability should be obvious (although there are some unknowns there in terms of its requirements and the chance of success). The only difficulty is to get the right path. Play around with the requests to get that.
- Let’s call this one ‘pivot’: another vulnerability in a local service
- Root: from where you landed, stay home, and look for that thing that shouldn’t be exposed