For the story line for these levels, please see the story line page.
If you require root access to the machine, login as vicious-platypus with the password vicious-platypus
Then use sudo -s to get a root shell.
View the sites robots.txt, and audit the password reset functionality. The token is on one of the pages that require authentication.
There exists a vulnerability in the blog post software, exploit it to get the admin token. (The admin user browses every 5 minutes).
Log into the BuoAV administrator page.