Read my write-up to Driver machine on
TL;DR
User: Found admin:admin credentials for port 80, Using smb-share-scf-file-attack, Getting the user NTLM hash using responder and we get the credentials of tony user.
Root: By running Get-Service -Name "spooler" we can see that print spooler service is running - Using PrintNightmare to get privilege escalation by creating a new user on administrator group.