Finally got root.
This box was incredibly easy after researching the webapp but was by far the most unstable box I’ve encountered on HTB.
hints for user:
don’t rely too much on scripts or pre-made exploits. There is one you will need to get initial foothold, but to exploit web-app you can do it manually much easier after researching/enumerating the app.
hints for root:
this command should be one of the first things you run in any privesc enumeration. The output is slightly different from the usual boxes that I’ve seen on htb and the key is to understand the difference.