Finally got root on this. As a newbie, user was easier than root for me b/c the service to exploit seemed pretty clear. For root, however, I was kind of directionless and expected it to be harder than it was, and ended up overlooking something basic… Once I realized it, the exploit was easy and took like 15 minutes.
Edit: for User, I saw lots of people recommending to look at the source code, but I didn’t find that helpful (I don’t know the language tbf). I think the easier path using a proxy like Burpsuite to monitor requests.