I've found the phplist admin page - http://10.194.0.8/public_html/lists/admin/
All of the XSS Exploits found for that version require login to the admin panel.
Default credentials are admin\phplist don't work.
The error is - "Database error 1114 while doing query The table 'phplist_eventlog' is full".
I've tried to crawl the server and log for any files containing any other credentials but it won't work because of the login problem.
So i can't tell if that is part of the challange or some sort of bug in the configuration of the server?
Are there any other XSS exploits? or the public ones should work?