Username Enumeration
A misconfigured web application for administering printer/s resulted in exposing a CLEARTEXT credential for what appears to be a service account for printer/s. The credential was later validated and used to request for a TGT
Here, I will get all the domain users
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ KRB5CCNAME=svc-printer.ccache impacket-GetADUsers return.local/ -no-pass -k -dc-ip $IP -all
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Querying PRINTER for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
administrator 2021-07-16 17:03:22.557691 2023-03-23 09:16:04.637224
Guest <never> <never>
krbtgt 2021-05-20 15:26:54.838405 <never>
svc-printer 2021-05-26 10:15:13.368362 2023-03-23 12:08:41.777925 It appears that the only none default user is the service account; svc-printer