Even if you walk in knowing how to approach gaining access and priv esc on this box, there are still a bunch of moving parts, gotchas, and places for things to go wrong. This one is more complicated than the scoring gives it credit for, so don’t be discouraged!
USER: Some accounts are juicier than others and you can be handed an associated hash if you know how to ask nicely. Sifting passed the most obvious protocols will help you find where to use the cred.
ROOT: AD can be a beast, even if you are fairly comfortable with it. Best thing to do here is to dig in and identify what kind of access your account has to objects in the domain and how that access can be exploited. There are tools (mentioned all over this thread) which will help you sniff out the scent of relevant objects and permissions, but really focus on understanding how it all comes together. This one will bite you if you try to just spray commands without understanding what they are doing. Lots to learn here if you play it that way. PM me for a better nudge.