This box is not well designed. There is a regular user, actually I saw once in the process list that someone logged in as that user, but brute forcing the password with simple lists leads nowhere. So I could read the user flag only when I rooted the box. Apparently it is easier to get root than to get user.
Yet, I liked the challenge of getting a first shell, although I still don’t get why the some ways fail and others don’t; of course, at some point you can easily see how others tried it - I wonder whether they succeeded. I also liked the priv esc for root - it’s not at all subtle or cunning (a very basic enumeration gives you the evidence for what’s wrong here) but you need to get all details right; took me a few experiments and lost shells to figure out how that works.