We can get the user.txt flag from here.

Privesc: L4mpje -> Administrator

For privilege escalation, I usually try to look around for interesting files manually before running any enumeration scripts. While doing that, I ended up finding a folder called mRemoteNG.

A quick google search on mRemoteNG shows us this,

An open source, tabbed, multi-protocol, remote connections manager. mRemoteNG adds bug fixes and new features to mRemote.It allows you to view all of your remote connections in a simple yet powerful tabbed interface.

After a bit of research, I’ve found that passwords stored in mRemoteNG can be decrypted and also came across this tool.