LDAPDomainDump
A misconfigured web application for administering printer/s resulted in exposing a CLEARTEXT credential for what appears to be a service account for printer/s. The credential was later validated and used to request for a TGT
Here, I will get ldapdomaindump running to get a general review of the target domain
┌──(kali㉿kali)-[~/…/htb/labs/return/ldapdomaindump]
└─$ ldapdomaindump printer.return.local -u 'return.local\svc-printer' -p '1edFg43012!!' -n $IP
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finishedUnfortunately, I am unable to conduct the pass-the-ticket technique as ldapdomaindump doesn’t support importing Kerberos tickets Nevertheless, I got the domain information out in HTML format
Computers
It appears that the target host is the only machine in the domain
Users
The svc-printer user is part of the following groups
Server OperatorsRemote Management UsersPrint Operators
Given the context of the group membership, I’d assume that the next attack vector would be relevant to exploiting the printer.
Regardless, I should be able to gain a foothold to the target system directly via WinRM as the user is part of the Remote Management Users