In the same spot
stuck after getting user and finding the plugin-upload page 
anyone can give any hints , dont know if sftp is the right path.
For user, I can confirm that sftp is the right path.
Don’t forget there is a help command and try the different commands that are availlable. This give you a better idea of the privileges you have, and you might find how some useful commands aren’t restricted.
Lol user was easy and interesting.
Have gotten a reverse shell and am working on root.
Is s*** /usr/bin/a****** u***** a rabbit hole, or should I continue along that path?
Well there is interesting thing I’m seeing there after running reverse shell command!
EDIT: Lol I was doing something a terrible wrong
Anyone have some hint for start ? I am able to upload via sftp, but php seems do not work 
Can someone please help… As stuck after the sftp access… Tried with many reverse shell for image or php none of them are working…
1 2 7 3
Gotta use sftp. 
Is the final step for root just a** takeover? Or am i just chasing ghosts here
Type your comment> @FlameOfIgnis said:
Is the final step for root just a** takeover? Or am i just chasing ghosts here
I’m in this same spot thinking the same thing.
so the sftp part was easy but not sure where to go from there … able to upload but not get callback … any hints?
Type your comment> @kilo5150 said:
so the sftp part was easy but not sure where to go from there … able to upload but not get callback … any hints?
same boat i play with c** and g** maybe the right way but now just stuck any hint will be welcome 
Spoiler Removed
This is really a great box, congrats @mprox for the bloods and super thanks to @jkr for this awesome box. That privesc is something special…
How on earth do you get anything through the uploader…? 
Keeps on showing ‘success’ but files don’t appear anywhere… 
Really nice box so far, but I’m stuck in on the priv esc from the shell. Found some interesting files, including the command a****** u***** which under some circumstances can be exploited to gain escalated privileges. However, it seems that the config files, etc., are hardened too much to take advantage of this method.
Been enumerating the system a couple of times now, maybe I’m missing something simple, maybe not. But I just keep getting drawn by the aforementioned command. Will someone PM wether it’s the path to walk or not?
Got user, thanks to some insight from Pavel!
Working on root. Haven’t found this upload plugin people are talking, but I think it has something to do with a hidden link but 6** is filtered. I tried to forward my way in, but the site wants what it wants. Name is making a lot more sense now, not sure how to get access to a***** page. Any hints?