Read my write-up for Devzat machine on
TL;DR
User 1: Found vhost http://pets.devzat.htb with RCE vulnerability on species field, Using that - we get the SSH private key of patrick user.
User 2: Login to the devzat chat platform as patrick and we found a message from admin which says that influxdb database installed on this machine, By reading data from influxdb we found the password of catherine user.
Root: Login to the devzat chat platform as catherine and we found a message from patrick that says he publishes dev chat platform on port 8443 and the source code located on backups, By reading the dev source code we found a new command file which allows reading files as root, Using that we read the root SSH private key.