A very tricky VM, level is hard, can be download here.
First, use nmap to scan ports.
Gobuser to bruteforce folders and files at port 80, found nothing.
There's only one image at index.html.
Download and extract pass.txt from the jpg file.
Use hydra to brutefoce ssh user's name.
Logged in as user daneil through ssh, but the bash is restricted.
Again, logged in with "-t"option to bypass resctricted bash.
ssh email@example.com -t "bash --noprofile"
There are three users in home directory. And the user flag is in gabriel's home. So, we need to escalate to other user.
Here is the most tricky part. As user daniel, I spend a lot of time browse the VM, but found nothing. Then I asked for help from this great guy @d4t4s3c. In /etc/nginx/sites-available, we can find a URL name: loneysoul.hmv.
In fact, if we put some php into /var/www/html, and access it directly through IP, it will not be interpreted. But if called from lonelysol.hmv/xxx.php, it will be interpreted. And, the author did want us to get www-data user as the second user, but not the other two in /home folder.
Upload a reverse shell php file in /var/www/html, and curl it through url, we get reverse shell of user www-data.
User 'www-data' can sudo /tmp/whoami, so we create a file named whoami in /tmp, and code is: bash.
Sudo to user gabriel, and now we get the user flag.
Continue, user "gabriel" can sudo hping3, then escalate to user "peter".
Here is the second hard part. We can find that /usr/sbin/agetty maybe an useful file for privilege escalation, so I googled a lot, but found no answer.
Thanks for the great spanish guy @d4t4s3c. Here is the magic cmd:
/usr/sbin/agetty -o -p -a root -l /bin/bash tty