Read my writeup to Late machine on:
TL;DR
User: Found another subdomain images.late.htb which extracts text from images (OCR), By observing the source code (from Github) we found the capability to RCE, Using that we read the SSH key of svc_acc user.
Root: Found script /usr/local/sbin/ssh-alert.sh with write permission, This script runs for every SSH login, Add to this script reverse shell and we get a reverse shell as root.