I enumerated the first user pretty quickly and was able to get the password. Enumeration then revealed where I should pivot next, but the port I needed to be open wasn’t available (AU free lab) even after multiple restarts. I spent about 8 hours looking for other ways in before reaching out to @VbScrub who confirmed my suspicion that the system was unsolvable without that port.
I submitted a support ticket but ended up just going VIP. In the VIP lab the system did have the port open so I quickly got the user flag.
I then leveraged that access to use a new (to me) tool to look for credentials which had been registered in an odd place. This revealed a password for a second account I’d already found, which I was able to use to get even more useful information.
At this point I struggled for a bit trying different tools, and I must have been invoking them incorrectly due to a lack Windows admin knowledge, but one of them finally worked and I was able to pass by this roadblock and get the root flag.
At the suggestion of @VbScrub I then watched some of his “Tutorials” videos which helped me understand what was going on.
If you struggle with this system, I’d encourage you to watch the videos.