Read my Write-up to Writer machine on:
TL;DR
User 1: Discovering admin login page, running SQLMap and discovering it is SQL Injectable, Found FILE privilege, By reading /etc/apache2/sites-enabled/000-default.conf which lead us to /var/www/writer.htb/writer.wsgi file with admin credentials, Using those credentials to login to SMB as kyle user (takes from /etc/passwd), Replace manage.py file with python reverse shell to get a reverse shell as www-data, Found a file /etc/mysql/my.cnf with DB credentials, Using those creds we found this is the credentials of kyle user to SSH.
User 2: Found group permission to /etc/postfix/disclaimer, Using that we can add a disclaimer (which is bash script behind) to outgoing emails, Using that, we get a reverse shell by changing the disclaimer script with our reverse shell and we get the user john.
Root: Found write permission to file /etc/apt/apt.conf.d, Creating a Pre-Invoke script which is a persistence technique to run code whenever apt is ran, Using that we can get a reverse shell as root.