Read my writeup to escape machine on:
TL;DR
User: We discovered a PDF file on a Public share that contained login credentials for MSSQL. With the help of these credentials, we were able to access the database and execute the xp_dirtree command. This gave us the NTLM hash for sql_svc on Responder. After cracking the hash, we logged in using evil-winrm. Upon reviewing the SqlServer logs, we were able to obtain the login credentials for Ryan.Cooper.
Root: We used Certify to locate a misconfigured certificate template. After creating the certificate with Certify, we converted it to a .pfx file. We then used Rubeus to request TGT with the certificate. Finally, we were able to connect as Administrator using evil-winrm and the Administrator NTLM hash.