Was a lot of fun, but also some hard work. In hindsight everything could’ve been done very much more efficiently, but I guess that is the case for EVERY achievement in retrospective.
I rated 7/10 for userflag and 3/10 for root, but 7/10 doesn’t really reflect the complexity it only is that high, becuase of the really long time it took me to get onto the right track. After first analyzing the server-script I got the wrong idea for exploiting a vulnerability there. Then I saw the right vulnerability to exploit, but still wasn’t totally on the right track, because I was blinded by what only seemed to be obvious but wasn’t correct at all. Is it a red hering?
Finally I saw a better opportunity of getting remote-access as the web-user, and from now on the rest went relative smoothly.
After having access as ssh-user enhancing privileges was not a big deal at all here.
Really a nice challenge - if only I’d seen the more promising way a bit quicker!