I tried another angle. Maybe it wasn't the web app? I started looking at the SSH version. I spent an hour reading documentation from 2015 about a specific buffer overflow that turned out to be a rabbit hole.
A hacker successfully pivoted through a public web platform to access an internal network. Objective: hackthebox red failure
Once the malicious logic was understood, the following steps were taken to recover the flag: De-obfuscation I tried another angle