Summary

Upon initial enumeration of the SMB "Replication" share I was able to come across a Groups.xml file that I was able to decrypt using gpp-decrypt. After decrypting the password I was able to kerberoast the user "Administrator" which was easy dubs.