Had to make my Firefox able to load TLS 1.0, then found elastix was vulnerable, gained foothold. Then, found a Webmin portal which was able to execute commands as root, which gave me root.
Enumerated LDAP, http, smbclient, to then Kerberoast, auth as sqlsvc, and prepare a silver ticket attack. Once we convert SID to string, we can create our ticket, and authenticate as a shell with pwsh. Once we gain foothold, we get root with a deserialization attack.
Boolean-based SQL injection, which gives access to a database, then we authenticated file fuzz leading to bypassing .htaccess in apache which gives RCE. Once foothold from RCE was obtained, we pivot as mark, find a local hosted web server, and exploit npm to root.