■■■■, finally rooted after 2 hours of googling. User flag got me stuck for a long time and google just won’t show me the stuff I wanted to see lol
Why doesn’t Nikto flag this right away ?!?
Rooted!
root@knife:/opt# id && hostname && ifconfig
uid=0(root) gid=0(root) groups=0(root)
knife
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.242 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 dead:beef::250:56ff:feb9:befe prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:befe prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:be:fe txqueuelen 1000 (Ethernet)
RX packets 2722013 bytes 412311064 (412.3 MB)
RX errors 0 dropped 66 overruns 0 frame 0
TX packets 2509092 bytes 1106488505 (1.1 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
What fooled me was the ‘CVE’ rate matrix. This is not a traditionally CVE as we all know, however it is easy to find, just a bit of Googling 
Stuck working on this for a few hours with no foothold. I see the p*p version but not sure if I’m going down a rabbithole. Any nudges 
?
Type your comment> @elveskevtar said:
Stuck working on this for a few hours with no foothold. I see the p*p version but not sure if I’m going down a rabbithole. Any nudges
google google google thats the secret and sometimes even some chinese could help
Stuck on foothold, any nudges. Trying to Google the software without any luck…
Got user foothold. Indeed, enumerate specific version of specific service, then google. Also, as mentioned by @adminseeker , some chinese dudes might help 
Now going to root the s.it out of it…
Foothold was definitely frustrating, but root is pretty quick and straightforward. Foothold is pretty hard to nudge on without giving it away. The folks in here have already given some good hints.
i both love and hate this lol. easy for a relaxing saturday afternoon just user your google-fu 
rooted. feel free to message me for hints
The challenge of getting user felt contrived (the hints were very helpful, thanks). But getting root actually forced me (a noob) to learn a couple things, which was nice.
Finally rooted took longer than I would have liked for gaining user. Thanks for all the nudges on this one y’all. PM me if you would like a nudge.
Also while I was trying to get a foothold (to user), a certain popular scanning tool told me there was a vulnerability with a CVSS of 10.0. It turned out to be a false positive, which kind of undermined my trust in that tool.
I had the right path pretty fast, but finding the information on the vulnerability took much longer than I wanted, lol. I think the hints on here are pretty solid already. If you need some hints, send a message.
Wow user took me a long time to get on this machine. Thanks to @PartyGolbez and @elveskevtar for the tips on priv esc. I was on the right track but needed a lil nudge.
any nudges for foothold? i scan everything but i got no hint :/…there is a tool i used for scanning and it list all possible vuln for j*****…did i go to the right direction?
Type your comment> @Aether32 said:
any nudges for foothold? i scan everything but i got no hint :/…there is a tool i used for scanning and it list all possible vuln for j*****…did i go to the right direction?
@Ob1lan and @adminseeker 's posts really helped me. I’m not familiar with the direction you’re going, but hesitate to say it’s “wrong” in case there’s multiple paths.
Type your comment> @lebutter said:
Why doesn’t Nikto flag this right away ?!?
Thanks, nikto reveals something nmap doesn’t show. I will add nikto to my enumeration routine.
Anybody can help me? I was able to exploit the vuln, get LFI and read a SSH private file. But when I try to crack it doesn’t work.
The Nmap-script-engine led me to the wrong way and wasted me a lot of time.
maybe try the results of other recon tools before diving into the NSE result.