Get user was hard, but root is obtained straight from www-data.
-Tips for user:
- Enumeration is your best friend
- API is always a gold pot. You must use it.
- Now, you need to prepare yourself against a long battle with command-injection! Try to find escape characters.
-Tips for root:
- Look at your privesc-enumeration. It is there!
In particular, I got root from www.
Is there another way?
PM for nudges!