ldapdomaindump
Using the credential of the svc_apache account, dumping domain information with ldapdomaindump
┌──(kali㉿kali)-[~/…/htb/labs/flight/ldapdomaindump]
└─$ ldapdomaindump ldap://$IP -u 'FLIGHT.HTB\svc_apache' -p 'S@Ss!K@*t13' -r -n $IP --no-json --no-grep
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finishedDump finished
Computers
The DC host, g0.flight.htb, appears to be sole computer account within the target domain
Users
The C.Bum user appears to be most interesting due to the membership to the WebDevs group
Groups
The WebDevs group is the only none default domain group
The rest are all default AD groups
Interestingly, the Remote Management Users group doesn’t seem to have any member