This machine was medium level windows which involves SQL Server interaction, then using Responder to capture the hash of the sqlsvc
user and then enumerating files on the system, from there obtaining password for another user and in the end taking advantage of a vulnerable ADCS Template to gain Administrator access.