The flow is rather classic but the path is tortuous (at least it was for me). I needed hints, thanks @TazWake.
For those who found @sparkla’s script useful, check this one out https://github.com/mxrch/webwrap (a wee bit better).
My 2cents (everything has been said!):
Foothold: if you want to get a shell, bypassing the restrictions in place is googleable.
User1: one function will help you do what you need to do to get access. You can land directly here without the foothold above.
User2: enum.
Root: quite a common backdoor.