Got root. I had some gaps in knowledge so it took quite a while. The whole box is very CTF like and not anything that would happen on a real-life setup.
My tips:
- For user:
I found out that it is good to use multiple dirbusting apps, I used gobuster at the start and it did not find what I needed. Quite a bit of research is needed to get to the point where you can grab the user flag. This thread contains sufficient information to start with, google is your friend as always.
- For root:
Read the links in the thread and it’s a good idea to do the exercises in those links. For the actual exploit you need to find the thing that does not change and from there you can move up. I strongly advise setting up a local development box with the same OS.
I can see now why the box is only 20 points if you know your overflows it will be relatively simple. If anything I mentioned is a spoiler please remove!
PM for tips will try to help out