Read my writeup for Timelapse machine on
TL;DR
User 1: By enumerating the shares we found a zip file called winrm_backup.zip , By cracking the zip we found legacyy_dev_auth.pfx file (Client certificate authentication with WinRM), Using the pfx file we create a certificate and private key and we use them to login using evil-winrm as legacyy user.
User 2: By enumerating the PowerShell history we found the password of svc_deploy user.
Root: Extracting the password of Administrator user from LAPS Using pyLAPS.