InfoSec LAB

ldapdomaindump

Using the credential of the support user, dumping domain information with ldapdomaindump

┌──(kali㉿kali)-[~/…/htb/labs/blackfield/ldapdomaindump]
└─$ ldapdomaindump ldap://dc01.blackfield.local:389 -u 'BLACKFIELD.LOCAL\support' -p '#00^BlackKnight' -n $IP --no-json --no-grep           
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

Dump finished

Computers

The DC host, dc01.blackfield.local, appears to be the solely active computer account

Users

While I won’t be listing out the entire table of domain users, I have found an interesting fact

Those [[Blackfield_RID_Cycling#[RID Cycling](https //www.trustedsec.com/blog/new-tool-release-rpc_enum-rid-cycling-attack/)|enumerated user accounts]] from the RID cycling technique, starting with BLACKFIELD******, have both CN and name attributes matching up the usernames found in the //dc01.blackfield.local/profiles$ share It would appear that firstname is redacted to first letter only Updating the users.txt file

Additionally, the lydericlefebvre user has the description field populated with the following; @lydericlefebvre - VM Creator

Groups

While the whole table of the target domain groups are redacted, there isn’t any none default domain group

`svc_backup`

However, it is worth noting that svc_backup account with memberships to both Remote Management Users and Backup Operators groups makes it a valuable target

InfoSec LAB

Explorer

Blackfield_LDAPDomainDump

ldapdomaindump

Computers

Users

Groups

`svc_backup`

Interactive Graph View

Table of Contents

Backlinks