This is a tough nut to crack! I've literally spent 20 hours on this one. Attempting SQLi and XSS through Sqlmap, Burp Suite, grabber, xsser using the known vulnerabilities in 2.10.17 until I read that, the version is ONLY vulnerable whilst logged in as admin. So now it's time to get cracking! Seriously this environment is exploding my mind! It's so cool and such a learning experience.