From nmap, there are ssh and http service.

This is the web page.

Take a look at the source code, there is an interesting comment.

This is the directory, and I use gobuster for this directory.

This is README, it shows that it is using version 4.0.3.

This is the admin page. I tried to some basic credentials such as admin/nibbles, admin/password, and admin/nibbles works.

There is a pluging page, after uploading a file, it will be stored as 10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php.
So we upload a php reverse shell. By accessing it, we get the shell as user nibbler and get user.txt. With sudo -l, it shows that we can run /home/nibbler/personal/stuff/monitor.sh as root.
This is a piece of code from monitor.sh.
I modify monitor.sh so that it copies bash to local directory with SUID bit. Run ./bash -p, and we can run bash as root.