Port 21, FTP, hmmm do they accept anonymous access? If so what can I see as an anonymous user when I connect?
port 22, SSH, can it be brute-forced? were there any possible hints to usernames on the website? Maybe some email addresses? Maybe those recipient names are the same as network user IDs? Hmmm write those down for later. That is where hydra will come in. Once I get into SSH, do I have elevated privileges? Can I sudo up? Can I find some interesting files that may lead me to root?
Many people believe root is the key to the pen test, but actually root just helps you get further in. Your ultimate goal is to show you were able to retrieve and exfiltrate critical data such as PHI, PII, PCI, IP or other types of juicy data.
Now back to the accessible websites, you can go further than just recon. You can spider site (with a tool like Burp Suite or manually) to look for possible vulnerable sections. Is it vulnerable to cross-site scripting or SQLi? Is the site running on IIS or Apache? Any other types of plug-ins or 3rd party apps running on the site? Basically, can I use the site as a jump point or a way to get more user information?
OK, think I gave you a good amount to work with. Good luck!!