Finally pwned user and root today (my first box!).
Thanks for the largely non-spoilery tips here guys, learned a lot. Could someone PM me the way they enumerated for user? I wouldn’t have figured it out if someone didn’t give too much of a hint on enumeration
To echo others:
user: enumeration is the key to starting, and once you later find the exploit, READ IT CAREFULLY; it does more than you thing and it will make your last run for this flag much simpler
root:
ippsec-lazy. he takes the time to run a couple examples of a trick for simple privesc. you just have to find the right path