From nmap, there are multiple open ports.
It is the web page and gobuster result.
plugin folder, there are two .jar files
BlockyCore.jar, we can get sql credentials.
wpscan, we can get user named
I tried to ssh to the server with user
notch and the password of sql credential, and it succeeded. We get user.txt, and we can run any command with sudo privilege. Using
sudo su, we are now root and get root.txt.