From nmap, there are multiple open ports.

Local Picture

It is the web page and gobuster result.

Local Picture

Local Picture

In the plugin folder, there are two .jar files

Local Picture

From BlockyCore.jar, we can get sql credentials.

Local Picture

With wpscan, we can get user named notch.

Local Picture

I tried to ssh to the server with user notch and the password of sql credential, and it succeeded. We get user.txt, and we can run any command with sudo privilege. Using sudo su, we are now root and get root.txt.

Local Picture