Username Extraction
Using the TGT of the fsmith user, I can authenticate to the target KDC to enumerate all the domain users
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ KRB5CCNAME=fsmith.ccache impacket-GetADUsers EGOTISTICAL-BANK.LOCAL/ -no-pass -k -all -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Querying SAUNA for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
administrator 2021-07-26 18:16:16.377555 2023-03-25 16:26:38.353708
Guest <never> <never>
krbtgt 2020-01-23 06:45:30.587720 <never>
hsmith 2020-01-23 06:54:34.140321 <never>
fsmith 2020-01-23 17:45:19.047096 2023-03-25 18:00:39.056835
svc_loanmgr 2020-01-25 00:48:31.678079 <never> There are only 3 none default users; hsmith, fsmith, and svc_loanmgr