Read my writeup for Unicode machine on
TL;DR
User: Found JWT token, Use JWKS Spoofing (with redirect URL) and create a JWT token of the admin user, Found LFI and using that we read /etc/nginx/sites-available/default file and according to the comments we found another file /home/code/coder/db.yaml which contains the password of code user.
Root: By running sudo -l we found /usr/bin/treport binary, Decompiling it using pyinstxtractor and pycdc, Using command injection on curl and we get the root flag.