A useful lessons with this box: Finish your enumeration thoroughly, methodically and patiently to display all possible routes in, before moving to try and exploit - otherwise you will miss things out and give yourself a real pain when things don’t work.
There are tutorials around that explain how to interact with the middle port service properly - also another recent HTB machine with the same service running. The Ippsec video / writeups of that one would be useful.
Feel free to PM and I can direct you to links etc.