Nice box, I learn some interesting things.
Some hints :
foothold
Zap proxy provide some nice features : log all http traffic (to further analyse), replay some requests, index site (follow all links to search and log all pages), and search for string in logged traffic. Play with it and you will save more time later!
user
If you google correctly and read carefully what is possible, you will get you user.
root
Think about your system in term on read, write, execute. What can you write, read, execute and who can make what for you?
Its simple to reproduce the env in our local machine to test more easily.
Root shell is also possible, with a similar technique.
PM me if you are stuck and want some hint.