After loading the VM, we are greeted with a login page.
The goal is to login to the account "Sandb0x".
The challenge description states that the password consists of 4 lowercase characters, where the first character is 'p'. As the VM is called pwnyOS, I immediately guessed the password to be "pwny" which surprisingly worked.
This was probably not the intended solution as the flag hints that it is supposed to be a Timing Side Channel attack. But oh well, whatever works I guess.