Excellent box after all - finally managed to root this after fighting with the privesc for quite a while…
In the end the exploit is & was quite simple & stands out if you enumerate properly, and there is a related blog post available online explaining a very similar attack if you know exactly what to google for based on the enum findings.
Really polished & well thought through box, props to the maker! 
And huge props to @dividebyzer0 for kicking me in the right direction & helping out when I started overthinking an after all simple exploit.