User part :
-> Run Nmap Scan
-> 2 ports are open, http and RDP
-> i ran directory bruteforce and found it's using wordpress.
without wasting my time i started wpscan for getting vulnerable plugin,vulnerbale theme and users
-> from the scan result i got username. i started enumerating , lets go to the directory which i found previously
-> The link shows auther profile with latest posts
-> only one post have a comment, which is a note by author. lets assume this as password.
-> Now the next step is to try with username and password, for that i used RDP
-> i successfully logged in to user account and got user flag
Root Part :
-> in the desktop , there is an uncommon file.
-> so i searched in google and got a CVE
-> a github which explains how to exploit
-> started to exploit.
1. run as administrator
2. click show more details
3. click show information about certificate
4. click issuer link
5. that opens a browser, click OK
6. click file->saveas . this opens file manager
7. now open cmd and now iam system admin and got flag