dirfuzz --> backup --> gpg --> creds --> ftp --> pw reuse --> nfs

IDOR discloses userid of other users. SSTI discloses SECRET_KEY which was same as the jwt secret. With this, I changed my userid to admin.

My writteup about the insane PlayerTwo machine. I got access to the root flag on an unintended way. There is NO heap exploitation in this writeup!