User part :

-> Run Nmap Scan

-> 2 ports are open, http and RDP

-> i ran directory bruteforce and found it's using wordpress.
without wasting my time i started wpscan for getting vulnerable plugin,vulnerbale theme and users

-> from the scan result i got username. i started enumerating , lets go to the directory which i found previously

-> The link shows auther profile with latest posts

-> only one post have a comment, which is a note by author. lets assume this as password.

-> Now the next step is to try with username and password, for that i used RDP

-> i successfully logged in to user account and got user flag

Root Part :

-> in the desktop , there is an uncommon file.

-> so i searched in google and got a CVE

-> a github which explains how to exploit

-> started to exploit.

1. run as administrator

2. click show more details

3. click show information about certificate

4. click issuer link

5. that opens a browser, click OK

6. click file->saveas . this opens file manager

7. now open cmd and now iam system admin and got flag