Good box learnt some new things. User was pretty annoying because there are several rabbit holes. Once you’ve got the login page focus on that exclusively, forget the other subdomains. It’s not mentioned in any of the solutions but it IS in fact possible to figure out the underlying tech using dir/file bruteforcing (if you hadn’t had any hints from the forums or box name). There is a certain file ins******.j*on that gives you the info. As for the script, don’t exclude special chars, just escape them.
Popping a root shell is simple. No need to mess around with ssh keys at all like a lot of ppl mention (in real life most boxes have root ssh disabled anyways so that’d be useless). bash -p is your friend.