Read my writeup to Trick machine on:
TL;DR
User: By enumerating the DNS using dig we found trick.htb and preprod-payroll.trick.htb sub-domains, According to the subdomain pattern we found another subdomain preprod-marketing.trick.htb with a page that vulnerable to LFI, Using that we read the SSH private key of michael user.
Root: By running sudo -l we can see that we can restart fail2ban service, We can see also we are on security group and we can edit /etc/fail2ban/action.d directory, Using that we edit the actionban and actiounban on the file iptables-multiport.conf, Trigger fail2ban by running brute force against SSH and we get the root SSH private key.