Read my writeup to MetaTwo machine on:
TL;DR
User: Running wpscan and found BookingPress < 1.0.11 - Unauthenticated SQL Injection using CVE-2022-0739 we get the manager password hash, using the manager credentials we login to wp-admin and found CMS with CVE-2021-29447, using the vulnerability we get the ftp password from wp-config.php file and from the ftp we get file send_email.php which contains the password of jnelson user.
Root: Found on jnelson directory passpie with root password, Crack and passpie passphrase and we export the root password from the passpie configuration.