Timelapse_ldapdomaindump

ldapdomaindump

---

Using ldapdomaindump with the validated credential of the svc_deploy account, the entire domain data can be reviewed Although the majority of the individual domain objects have been identified at this point, it gives out an excellent overview with a GUI

┌──(kali㉿kali)-[~/…/htb/labs/timelapse/ldapdomaindump]
└─$ ldapdomaindump dc01.timelapse.htb -u 'timelapse.htb\svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -n $IP -r --no-json --no-grep
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

Done

Domain Computers

---

There are a total of 4 domain computer accounts While only the DC host has been identified with its IPv4 address, the rest are unknown at this point

Domain Users

---

All the known users with their memberships listed Interestingly, the svc_deploy account is part of both Remote Management Users and LAPS_Readers groups This would mean that I can start a PowerShell session as the svc_deploy user

Domain Groups

---

As already identified, those 3 are the only none default group in the target domain