Read my Writeup to Undetected machine on
TL;DR
User: On /vendor found phpunit, Using CVE-2017-9841 to get RCE, Using that we get a reverse shell as www-data, Found file /var/backups/info, strings on this file shows base64 string which contains the hashed password of the new user was created, decrypt the hash and we get the password of steven1 user.
Root: By reading the mails of steven we found a hint about the Apache service, Found an odd module on /lib/apache2/modules directory, strings on this module and we found base64 strings which show the attacker replaces /usr/sbin/sshd file, decompiling this file and we found the password on auth_password function (need to XOR it before) and we get the root password.