Summary

1. use anonymous sessions to find txt in HR share
2. use RID-bruteforcing to find usernames
3. password spray password on found user to find valid credentials
4. read AD user info using rpcclient and find new password
5. winrm into the box with new credentials (user)
6. abuse SeBackupPrivilege to escalate to Administrator (root)

Initial Enumeration

As always I start with a port scan using nmap to find running services.

First I find all open ports using a simple port scan: