Type your comment> @rayjolt said:
I’ve managed to find the user flag and enumerate the filesystem, but I have no idea how I can get a shell. Any hints would be appreciated.
You might have overlooked an open port. You can enumerate the configuration file for that service which will give a lot clues for an attack.