Tunnel Cake Challenge

I’m working on “Tunnel Cake” and I’ve successfully stolen credentials. I have 2 questions:

1- I changed target’s password using “passwd” command. Did this lab expect us to retrieve the password in another way?

2- For the second part (Nested Tunnels) I’ve tried the commands below:

A: ssh -fN -L 2222:172.16.2.101:22 UserHostB@172.16.1.100 -i key
       ssh -fN -L 8888:127.0.0.1:8888 UserHostB@127.0.0.1 -i key -p 2222

B: ssh -fN -L 8888:127.0.0.1:8888 UserHostB172.16.1.100 ssh -L 8888:127.0.0.1:2222 -N 172.16.2.101
C: ssh -fN -L 8888:127.0.0.1:8888 UserHostB172.16.1.100 ssh -L 8888:127.0.0.1:2222 -N 172.16.2.101 -i key -p 2222

For B and C I got nothing. For the second part of A I got “permission denied”. I was wondering if you could tell me what’s wrong?

Thanks!