I managed to dump root f, but I’m a bit disappointed cause I couldn’t get shell.
Dumping root p k, I saw that line 21 is not dumped, hence the k I rebuild is incomplete so no s** login. Has anybody managed to get around this?
Edit: ok goot root shell. There’s another obvious way to do this (rather than read the s** p k)
got the root flag but no shell here.
can you pm me your solution for getting the shell?
Rooted. Great machine! Ive enjoyed this one.
Dm me if you need nudges.
Learned a bunch of useful techniques on this box. Quite interesting behavior of the unicode part!
Let’s go for this… 
FOOTHOLD : is there any directory traversal vulnerability? Is token RSA coded? The RCE vulnerability of CMS is usable?
I respond to myself. Yes there is a directory traversal but after you manage to log with admin account. The token is RSA signed and you need to understand how it works to generate a pair of keys. CMS is not vulnerable as version is higher.
USER : once you know how to read files it’s simple. Look for what is running and search configs.
ROOT : going for root now… Exploiting the program is not simple. Try to read code.
This foothold misled me for a while:
yes, there is a dir. traversal and you also need to use it to become admin…
Foothold
There’s one (obvious) issue that was featured on the Owasp Top 10 in 2013. This vulnerability in itself is not very useful, but you need to combine it with another one to escalate your privileges.
User
Once you’ve escalated your privileges, you will need to exploit another vulnerability. It helps to understand the server that you’re facing.
Root
Enumerate to find the right direction. Once you’re there, try a bunch of things to understand how this works. Then bypass another blacklist to get where you want to get.
P.S. This box works with filters/blacklists in every stage, keep trying. Also, SSH private keys are not necessary.
Rooted the box but failed to obtain a complete reverse shell. I tried a couple of evasions from the blacklist, but still no luck. 
For those wondering how to get a shell you can DM me.
Hint if you want to search how to get a shell, maybe you can write files anywhere
I got the root flag, but no shell. Hmmm, bummer. At least the box is retiring soon and I can see how it’s done.
If anyone gets stuck on the foothold, just remember to think about the FORMAT that everything is in. I fiddled with the t***n for hours before I clued in that I was reconstructing it using two things that were in the wrong format! (Google helped me find a way to actually construct the strings in the correct format)
User is pretty simple. There are some good hints here already.
Root was actually pretty difficult for me as I couldn’t anticipate exactly what was blocked and I had to try a ton of stuff (plus close reading of the man pages) to get the flag to dump.
Cool box for sure.