LDAPDomainDump
Using the credential of the v.ventz user, I can get an overview of the target domain with ldapdomaindump
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced/ldapdomaindump]
└─$ ldapdomaindump ResourceDC.resourced.local -u 'RESOURCED.LOCAL\v.ventz' -p 'HotelCalifornia194!' -n ResourceDC.resourced.local --no-json --no-grep
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finishedComplete
Computers
/Practice/Resourced/3-Exploitation/attachments/{0FB8D80B-0156-4CB4-9D65-1C0389CBEFC5}.png)
ResourceDC.resourced.local
Users
/Practice/Resourced/3-Exploitation/attachments/Pasted-image-20250422202741.png)
- The same CLEARTEXT credential of the
v.ventzuser can be seen in the LDAPDescriptionattribute;HotelCalifornia194! - The
L.Livingstoneuser is the only user that can either WinRM or RDP to the target system
Groups
/Practice/Resourced/3-Exploitation/attachments/{D9D06811-B756-4A7D-BEEE-FB23A6DFED55}.png)
/Practice/Resourced/3-Exploitation/attachments/{10FE92CF-73B2-4D58-B34A-F44A1BE1863E}.png)
/Practice/Resourced/3-Exploitation/attachments/{F40FFFFD-34DF-4365-8ADD-9A2F3572983B}.png)
Groups are all default