Read my writeup to Search machine on
TL;DR
User: Found slide_5.jpg with the password of the user Hope.Sharp, Using that we found SPN of web_svc user, The cracked password of web_svc is the same password of Edgar.Jacobs user, By enumerating on Edgar.Jacobs we found Excel called Phishing_Attempt.xlsx with protected sheet, Removing the protected sheet and we get the password of Sierra.Frye and we get the user flag.
Root: We have two methods, Method 1: Running python bloodhound, found ReadGMSAPassword permission to BIR-ADFS-GMSA$ user, BIR-ADFS-GMSA user with Generic All permission to user Tristan.Davies which is member of Domain Admins, Using Generic All permission we reset the password of Tristan.Davies user and we get the root flag.