id

uid=0(root) gid=0(root) groups=0(root)

Overall, kinda a “meh” box in my opinion and closer to a medium, especially given the limitations in getting the initial foothold (if you got a revshell you’ll understand what I mean).

User

Enumerate what is running + do some googling and you shouldn’t have any trouble with RCE. Persistance may be troublesome, but try to “flow in” in areas of least resistance. Getting user.txt will take some additional enumeration/exploitation.

Root

This is what took me the most time, and ended up being the most annoying. From ~5 minutes after user it’ll be clear what the vector is, but accurately weaponizing it is tedious and annoying. Easy to overthink, but once you know what you’re doing don’t overdo it. Google is also your friend here.

Feel free to PM if you need a nudge.