Rooted this box a few days ago, but didn’t get around to posting about it yet. Really liked this one, thanks @polarbearer and @GibParadox. There are quite a few rabbit holes on thix box, but to me they always felt natural, not like on other boxes. It felt a bit like this box is a machine that’s actually being used by someone and that wasn’t completely deliberately set up to be hacked 
There are many very good hints in this thread here. I don’t really know what to add, but here’s a try:
Foothold: Enumeration really is key. If you always use the same wordlist and don’t find anything, use other wordlists as well. Also take note of everything you find, because even if you can’t directly use it, you might be able to use it later.
User: To own the user, you’ll have to perform quite an interesting exploit. Once you found the right page, some googling will easily give you the correct info. The exploit needs some setup, but isn’t all too complicated in the end.
Root: Another nice exploit that you need to use here. There’s something there that you can control, although it might not seem like it at first. You might be looking for user input to exploit and the way to exploit is quite similiar to that, but it’s aimed at something you might not consider to be “user input”. However, take a close look at the user privileges you have.