Good box for newbies like me. I learnt a lot.
Initial foothold: knowing the web, search for an exploit.
User1: enumerate to know which files you have access to. Then analyse them to reach the most interesting one with a password.
User2: enumerate again to reach interesting .php files. Then think how to reach a website internally. Curl is your friend, and then John.
Root: see what you can execute with this user’s permissions and then surf on GTFOBins.
PM if you need more nudges.