Enumerate things with bloodhound, refer to bloodhound edges for abuses, and utilize powerview/sharpsploit to do so
Spin up neo4j and bloodhound
#As root
neo4j console
wget <https://github.com/BloodHoundAD/BloodHound/releases/download/4.2.0/BloodHound-linux-x64.zip>
unzip BloodHound-linux-x64.zip
BloodHound-linux-x64/Bloodhound/Bloodhound -no-sandbox
Run the ingestor from the compromised host
SharpHound.exe -c all
Invoke-BloodHound -ZipFileName 'PATH/TO/ZIP.zip' -JsonFolder 'PATH/TO/folderas above' -CollectionMethod All -Domain FQDN
Or from kali
pip install bloodhound
bloodhound-python -u 'user' -p 'pass' -ns dc_ip -d htb.local -c all
Interpret the result; find the edge, requirements, and the powerview commands associated.
Edges - BloodHound 4.2.0 documentation
. .\\PowerView.ps1
powershell-import
Refer to this when attempting to abuse edges