OOB SQLi through WHOIS sure was interesting. Scavenging for a magic password in a LKM nailed the privilege escalation.
https://hackso.me/scavenger-htb-walkthrough/