Thanks for the challenge! I learned a bunch of stuff while figuring this out. User flag took me about 40mins because I couldn’t figure out the correct syntax to connect to service. This was the first face palm moment.
Then I setup my initial reverse shell a bit too bareboned so enumeration for privesc was slow as ■■■■ and I had to do it by hand pretty much. Well didn’t get lucky and decided to take a step back and get a better reverse shell for enumeration. Ran a few scripts and found something interesting and got a root shell at last. Privesc took about 1,5h which should have been alot faster to be honest. This was the second face palm moment.