If you require root access to the machine, login as touchy-owl with the password touchy-owl, Then use sudo -s to get a root shell.
Take a look at the website available running and try and compromise the database via SQL injection.
Once you have compromised the database, try and crack some passwords to log into the website.
Try and escalate privileges to the administrator website
Try and get shell access to the host after getting administrator access.
Investigate the host for files and information that may be used for future attacks.
Examine the host for misconfigurations that disclose information that allows future compromises to happen.