📖
Building a Windows AD lab
  • Building a Windows AD lab
  • Lab-setup
    • Lab overview
    • Building the lab
      • Prerequisite
      • Creating images
        • Optional: Install software & Settings
      • Network setup
      • Cloning & Creating VM's
      • Creating bank.local
        • Creating Domain Controller - DC01
          • Enable RDP
        • Creating amsterdam.bank.local
          • Creating Domain Controller - DC02
            • Creating a AD structure
            • Create a CA
            • Configure LDAPS
          • Creating Fileserver - FILE01
            • File services
          • Creating W10 client - WS01
            • PSRemoting
          • Creating Webserver - WEB01
            • Web Services
            • SQL Server
              • Create database
      • Creating secure.local
        • Creating Domain Controller - DC03
        • Creating File/SQL Server - DATA01
          • SQL Server
            • Create database
    • Attack Paths
      • Attack path 1 (hard)
        • Configuring
        • Tasks
        • Manual
      • Attack path 2
        • Configuring
        • Task
        • Manual
    • Troubleshooting
    • To-Do
  • Vulnerabilities & Misconfigurations & Attacks
    • Initial Access Attacks
      • Username Enumeration
        • Password Spraying
        • AS-REP Roasting
        • Empty Password
      • SMB Relaying
      • SMB Null-Session (To-Do)
      • SQL Server default login
    • Active Directory Attacks
      • Password spraying
      • AS-REP Roasting
      • Empty password
      • Password in description
      • Kerberoasting
      • Delegation Attacks
        • Unconstrained Delegation
          • Printerbug
        • Constrained Delegation
        • Resource Based Constrained Delegation
          • Computeraccount Takeover
          • Change-LockScreen
          • Webclient Attack (todo)
      • DACL-Abuses
        • Write Owner
        • Owns
        • WriteDacl
        • GenericAll
        • GenericWrite (todo)
        • ForceChangePassword
        • Add user to group (todo)
        • Targeted Kerberoast (todo)
        • Get-Changes
      • Reused local administrator (todo)
      • SQL Server Attacks (todo)
        • Initial Access
          • SQL Server default login
          • Normal domain user access
        • Privilege Escalation
          • Impersonation
          • DB-Owner
          • Enumerate Logins
            • Weak passwords
        • Executing Commands
        • Database-Links
        • Capturing hashes & Relaying
      • Reading LAPS passwords (todo)
      • Priviliged Groups (todo)
        • DNS-Admins (todo)
        • Account Operators (todo)
        • Backup Operators
        • Server Operators (todo)
      • Hopping domains and forests
        • Child to parent domain
          • Krbtgt hash
          • Trust key
        • Cross forest Attacks (todo)
          • Foreign user
    • Misc
      • Reverse shell trick
      • Lateral Movement
        • PSRemoting
        • PsExec (todo)
      • Misconfigured Service (todo)
        • Unqouted Service Path
      • Discovering Shares
      • Password on shares
      • Different methods of dumping credentials
        • LSASS (todo)
        • Dumping DPAPI
          • Browser passwords
        • Scheduled tasks (todo)
        • Services (todo)
        • Vssadmin Shadow Copy
      • ms-ds-machineaccountquota (todo)
      • add DNS Records (todo)
      • Bypassing UAC
    • Template page
  • Defence
    • Detection
    • Hardening
      • LDAP
        • LDAP Signing
        • LDAPS Binding
      • Strong Password Policy
      • Change who can join computers to the domain
      • Protected users group
      • Account is sensitive and cannot be delegated
      • Powershell Execution Policy
      • Template page
Powered by GitBook
On this page
  • Configuring
  • Prerequisite
  • Configuring
  • Attacking
  • How it works
  • Tools
  • Executing the attack
  • Defending
  • Recommendations
  • Detection
  • References
Edit on GitHub
  1. Vulnerabilities & Misconfigurations & Attacks
  2. Active Directory Attacks
  3. DACL-Abuses

ForceChangePassword

PreviousGenericWrite (todo)NextAdd user to group (todo)

Last updated 2 years ago

Configuring

Prerequisite

Configuring

  1. Login on DC02 with the username Administrator and password Welcome01!.

  2. Open the "Active Directory Users and Computers" administration tool on DC02.

3. Open the "Users" OU and then right click it, select "New" and "User".

4. Fill in the name sa_transfer and set the password to 2i^t#fFpL.

5. Make sure "User must change password at next logon" is NOT selected and select "Password never expires".

6. Right click on the sa_transfer user and select "Properties", open the "Security" tab and click on "Advanced".

7. Click on "Add" and then "Select a principal" and fill in the name testreset and click "Check Names" .

8. Click on "OK" and select the privilege "Reset Password".

9. Click on "Ok", "Apply" and again on "OK".

Attacking

How it works

Tools

Executing the attack

We know the password of the user testreset, this is Testing123Testing!. It's possible to either login with the account, or open up a PowerShell session. We will go with a PowerShell session.

  1. Start PowerShell and within the taskbar right click on PowerShell and then shift+ right click on Windows PowerShell. If we do this correctly it's possible to select 'Run as different user'.

2. Fill in the login details of the testreset user and click on 'OK'. Now a PowerShell window will open and we can confirm it's running under the testreset user, by typing whoami.

3. Within the script where we found the testreset user, we also noticed the account sa_transfer_test account. If we run net user /domain command within PowerShell, we see the sa_transfer account. It might be that we have the same permissions on this account with our testreset user.

We can confirm this by loading in PowerView and check the ACL's on the sa_transfer account. We will run the following command to check this out.

 Get-ObjectAcl -SamAccountName sa_transfer -ResolveGUIDs | ? {$_.ObjectAceType -eq "User-force-Change-Password"}

The above command will filter out everything but reset password permissions. The output will be as follows:

If we convert the SecurityIdentifier, we notice it's the user testreset.

4. We now know that we have permissions to reset the password of the sa_transfer user. To reset the password of SA_transfer, we will run the following command:

Set-DomainUserPassword -Identity sa_transfer -AccountPassword (ConvertTo-SecureString 'WeCanResetThisPassword123!' -AsPlainText -Force) -Verbose

Defending

Recommendations

Detection

References

PowerView
Password on shares
LogoAbusing Active Directory ACLs/ACEsRed Teaming Experiments
LogoEdges — BloodHound 4.2.0 documentation