Using a valid account on a pwned box, we can gather tickets for service accounts and extract the hash to crack. We must find all accounts in AD which have a SPN (Service Principle Name), then request RC4 tickets from the DC.
secretsdump
Used to extract hashes from a server. Below command will get NTDS.dit, assuming that you have an account with those permissions.