LdapDomainDump
LdapDomainDump provides a great overview over a domain much like BloodHound but in the database style.
Now that I have a valid domain credential, I can use ldapdomaindump remotely
┌──(kali㉿kali)-[~/…/htb/labs/resolute/ldapdomaindump]
└─$ ldapdomaindump ldap://$IP:389 -u 'MEGABANK.LOCAL\melanie' -p 'Welcome123!' -n $IP --no-json --no-grep
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finishedDumping the target domain information
Hosts
There are 2 computer accounts within the domain.
MS02.megabank.localResolute.megabank.local
Resolute.megabank.local is the DC machine whereas MS02.megabank.local is an workstation host
Groups
There is a single none default domain group, Contractors, which is also part of the following groups; DnsAdmins and Remote Management Users
Users
The current user is part of the Remote Management Users group.
This means that I am able to WinRM directory into the target system
The ryan user is part of the Contractors group.
Although it is unclear at this time that what the Contractors group is capable of, it is important to note it as it is a none default group