Rooted!
Fun box, user is way harder than root in my opinion. I didn’t use anything from metasploit to get initial shell, but I also didn’t come up with a script myself.
Lots and lots of research and trialling different exploits. Everything else falls into place once you get the shell.
PM me for any questions / hints.