How can this be rated Hard? From XXE injection in DOCX to binary exploitation and a minor detour to the root flag, this could have been easily rated Insane.
NIce write up - and I totally agree. It was (until it retired, of course) one of the three hardest boxes on HTB.
I think the binary took me a lifetime to resolve. Your code is much more elegant than mine was!
I also only ever ended up with a shell that lasted about 3 seconds, so I had to resort to a quick paste of commands to get a second shell before the first one died.
Like I said, this box was hard.
Nice writeup. And I definitely agree this box was Insane. It was especially crushing to finally get root after 6-7 steps and find that root.txt was missing!