From the above screenshot we can see three open ports, 22 (SSH) 80 (HTTP) and 443 (HTTPS)

checking the web pages on both http and https I only got a test pages of Apache web server running on CentOS.

Foothold

I tried all means to find a foothold, as you can see above, even gobuster found nothing interesting I decided to go back to the basics with Nikto and found a subdomain office.paper

Found a Vulnerability in the Wordpress site running version 5.2.3, also a comment of from a user Nate helped narrowing down the expolit.

I found the secret page/draft using the exploit http://office.paper/?static=1&orderBy=asc&m=YYYYMMDD from which I found the link to their private chat.

User

I created a new account with the link and had access to the General chat group, above we can we a bot called Recyclops which allows us show files and more.

Opened a direct chat with the Bot but not able to get the user.txt flag because access is denied.

Logged in to ssh with the the password Queenofblad3s!23 and username of the bot creator dwight where our user flag was waiting for the picking

Privilege Escalation

uploaded linpeas.sh to the system for privilege escalation and after running it discovered that an easy priv-esc Polkit CVE, you can find a working POC here. The rest was pretty straight forward