Read my writeup to AdmirerToo machine
TL;DR
User: By reading the HTML source of 403 pages we found vhost admirer-gallery.htb, Found Adminer on db.admirer-gallery.htb, Found Admier SSRF (CVE-2021-21311), Using the SSRF we access to internal port 4242 and found that is openTSDB, Using CVE-2020-35476 we get RCE and we get a reverse shell as opentsb user, Enumerate and found /var/www/adminer/plugins/data/servers.php which contains the password of jennifer user.
Root: Found fail2ban and openCATS running of the target machine on port 8080, Changing the admin password of openCATS on DB (Found the DB password on /opt/opencats/config.php), Using CVE-2021-25294 to write files using openCATS, Using that we write a file /usr/local/etc/whois.conf, Failed to log in 3 times as root user to we trigger fail2ban and we get a reverse shell as root.