Running NMAP on this rascal reveals port 80 to be open. I conducted a dirb scan and looked at the "usual suspects" (nikto results, /robots.txt, source code, etc.) to determine the next folder to explore.
Once you do a dirb on that folder, you will find links to a base URL page, as well as a login form. Based on the recon completed thus far (and possibly some OSINT on the side) you will need to craft a wordlist to use for brute-forcing the login form.
When that is complete, a new software package is revealed which has upload capability. You should be able to upload a file which will give you reverse shell and/or direct access to the box. From there, do some basic enumeration (uname -a, looking at /etc/passwd, using privilege escalation cheat sheets, etc.) and you should find a high-priv user who you can escalate to using password brute force or other method (don't forget to try passwords found in OSINT or that have to do with the "theme" of this box).
Once elevated to a higher priv'd user, check the /root folder and sniff around for the ever-elusive flag. Once discovered, you will find it is still "buried" another level deep, and you'll have to once again use your brute-forcing skills to crack it open!
Video Walkthrough with Full Spoiler Sauce!
Still stuck? Check out the video walkthrough below, but be warned - it contains all the gory details and spoilers of the above walkthrough, so only watch if you dare...