######################

ADset dc01.exam.com .100 .101 .102

######################


1. Starting with php upload need to add / at the end

2. Kerberoast to get the second user who is admin on .102

3. Mimikatz on .102 to get NTLM of a domain admin

4. Add / at the end of the rev.php file and you get admin on .101 then you can kerberoast.

###########################

Starting with php upload
Once you bypass that php file upload it's very straightforward and easy
All you have to do is get stored hashes with Mimikatz on each box you take over, and yes upload chisel on the first one to pivot on the others
All I used was Mimikatz/Chisel/Invoke-Kerberoast.ps1/Evil-winrm
You don't need any other tools than that


###########################

For getting on the DC you will need to use mimimatz on the .102 
and then you can login with evilwinrm on the DC with Nina's creds

I've started with 101 
The other two are on another subnet
So you can't scan them
When you get on 101 you have to do a tunnelling with chisel

###########################