I got root, PM if you need help 
where to put the credsā¦ hmm
Finally rooted this box. This are my thoughts.
USER
- Enumerate the web directories using anything but gobuster. Be recursive if you must.
- When you get your first creds play around with the username. Alias for root is what?
- Some people used curl I use postman cause I was already comfortable with it.
- When you get all 4 creds remember who is the admin. If you did your port 80 enumeration well enough you would already know where to use the creds
- Once you have dashboard access. Well you already know what to do.
ROOT
- Is there any privesc on this box. I wonderā¦
I got admin credentials from /u****/a*** from port 3*. I also got list from /u****. I tried combination of two findings, in port 8000 as well as on regular port in /manant and /lo**.p**. However, nothing seems to work. Please tell me if I am missing something.
Edit: finally rooted. Hint , there is something other than A#### on port 3*.
Still struggling to find any credentials. Are you using special wordlists or extensions for enumeration? found a lot of /u**** directories on 3*** but no filesā¦
no there is no special wordlist ā¦ you have to get the token form port 3
Type your comment> @heartbeathack said:
no there is no special wordlist ā¦ you have to get the token form port 3
I know that but i dont know where to look at. I enumerated all directories and could not find any files : /
Pls where did you get the credentials to create the token? I looked in any subdirectory for any files like .txt .dat .db etc. I already used big wordlists
I need a guide for the right path.
I think that iāve done the initials step but iām now stucked.
Found the 4 creds. from 3*** using c*** but now iām not able to use them.
Iāve found : m****t (and here i can log in but appears to be useless (?)) .
Plus L i*.p and A*i (in both of them i canāt log in).
Iām assuming that job on 3 is done and i can ignore it now after creds.
Feel free to pm me.
EDIT: got user, forgot to look in a simple file 
EDIT_2: got root too, natural consequence
Type your comment> @KnightyLion said:
I need a guide for the right path.
I think that iāve done the initials step but iām now stucked.
Found the 4 creds. from 3*** using c*** but now iām not able to use them.
Iāve found : m****t (and here i can log in but appears to be useless (?)) .
Plus L i*.p and A*i (in both of them i canāt log in).
Iām assuming that job on 3 is done and i can ignore it now after creds.
Feel free to pm me.
ty <3
Same problem here. I am wondering if thereās yet another login page somewhere that Iām missingā¦
hint : Just do more enumeration if find 4 creds from 3*** and use the creds
completed it it was a fun box if you need any help pm me
Rooted - if you need help PM
@Malone5923 gives an excellent list of hints, follow those and you should get root
FInally got root! If you are stuckā¦feel free to PM me as you might be making the huge mistake with the J*T requests and where to send them as I was.
rooted. thanks to @heartbeathack for pointing me in the right direction. much appreciated, buddy!
Just got user and rooted, thanks to @Shikata for the litle push. Feel free to pm me for help.
Iām a bit stuck! I have found the credentials, but now I end up with a directory list with three pages, one of which is login. but here the credentials donāt seem to work. Really have no idea where I can look further.
So I would like a hint in the right direction, please share the steps I have done
EDIT : Finaly rooted .With special thanks to @Impulse for clearing my blindspot. If i can help somebody. let me know
Can anyone lend me a hand?
Iāve found db creds but not sure what to do with them. Maybe a rabbit hole?
Iāve enumerated everything (i think?) and found the /mt and c.p.
Cant find the 4 users people are talking about on 3.
Whenever I try to use curl i get āUnexpected token # in JSON at position 0ā.
Not a difficult box. Donāt over think it too much. Once you get the first set of creds you can get the rest.