This is a very simple and easy room, which was a lot of fun.
We start by finding a web server that runs on port 8080. It is Node.js and uses the Express framework.
We see that it assigns us a session cookie. Knowing about deserialization attacks, we find out that it is vulnerable.
We exploit this vulnerability to get a shell on the box.
On the box, we can execute npm commands as a serv-manage user. With a quick look at gtfo-bins, we have our user flag!