I haven’t done the academy, but this is one of the first steps in discovery and recon so I believe this will help even though it’s not directly tied to the academy.
After running your initial nmap scan, you should have a pretty good idea of what’s running on the host. It might be advantageous to run an all-ports scan to ensure you got all of the services running on the target.
While reviewing the nmap results, you will want to look on sites like GitHub, Exploit-DB (SearchSpolit via command line), and Google to find any exploits for the service running.
Depending on the service running, it might help to banner grab the service using netcat to see if you can see the version that way. This is helpful for services like FTP where you can connect via nc <host> 21 and see if you can leak the service and version, example vsftpd 2.3.4.
Hope this helps! If you need any further help, my inbox is always open 