Rooted! I was able to gain foothold without spinning up my own thing, I found a R*** module and imported it into a framework and got rce that way. Getting user was new to me - and took me too long before getting it. Root was okay, did a little bit of RE in Ghidra and after that, owning the box was easy.
Initial Foothold
Others are saying they started their own instance of what’s running - I didn’t go down this road. I did a bit of research and found an exploit that I could import into a framework and after that, got a shell. Great, on the box.
User
This took me forever when it was right in front of me. Half my problem was I have never heard of this particular tool (look at where you land after getting a shell). Once I got a basic understanding and knew what I could do to someone, I am in as that person. He has a very sensitive file laying about - can you find it? Once you do, you will know what to do in order to get user. Go get your flag!
Root
This was pretty easy for me once I found it. Your off-the-shelf enum scripts should pick this up, but wont stick out with pretty colors. This kind of file is easily exploited if the person isn’t careful - you need to be absolutely, not relatively, sure what you’re doing when making these. I opened this thing in the NSAs favorite tool and right away found the way in. A little file here, adding it there, and running it and boom, popped root.
I can understand peoples frustrations around the difficulty of the box. From one side, it was beginning to lean on the medium side while at the same time being just within the easy marks.