Actually, I did the following but still no idea what should I go.
I used dirb and nikto and got few directories and I can see a folder contains many .php file however, php is not downloadable and some xml file is not really useful.
Furthermore, I do see some huge and mass javascript files. tried to look into detail but not much information found.
I also google the “ssh [version I found in nmap] exploit”, tried few script and not seems not vulnerable.
Maybe i overlooked some information and any hints are appreciated. thanks!