An NMAP scan will reveal port 80/443 open. Do the "usual suspects" scan of the Web environment - like nikto, dirb, looking at /robots.txt etc. and you will find the first flag as well as a custom dictionary file for later brute-forcing.
You will need to find some credentials for software installed on the box. The tools to brute-force and crack the creds are all pre-installed with Kali. Armed with those creds, you should be able to upload a shell and execute it for initial visibility into the machine. The low-level account has enough access to discover a hash for an upper-level account, and once you're escalated to that account, you can find key #2.
This one kicked my butt. I had to use the privesc cheatsheets (like g0tmi1k's) to go through a bunch of the files/folders/binaries with a fine-toothed comb to find a misconfigured something which allowed me to escalate privs and grab flag #3. Hint: if you're really stuck, check out this paper.
Video Walkthrough with Full Spoiler Sauce!
Still stuck? Check out the video walkthrough below, but be warned - it contains all the gory details and spoilers of the above walkthrough, so only watch if you dare...