Loved this one. So rewarding. Learned a lot of things today.
Some nudges.
Foothold: some of dependencies used for building application are vulnerable. One of them is a critical vulnerability. It has a CVE assigned to it. CVE → Google exploit for it.
Root: Look around, look around a lot. All you need is on the box. No need to download and execute external scripts.
Huge thanks to @HcKy. A lot of help without revealing answers. Helped me to not waste too much time on rabbit holes. Love when people encourage you to continue trying.