# Password on shares

## Configuring

### Prerequisite 

{% content-ref url="/pages/0GXLOMc0L3j6WXGKWSIQ" %}
[Discovering Shares](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/page-3.md)
{% endcontent-ref %}

### Configuring

1. Login on `DC02` with the username `Administrator` and password `Welcome01!`.
2. Open the "Active Directory Users and Computers" administration tool on `DC02`.

<div align="left"><img src="/files/bQVX7JvQr2r88F6wXHOF" alt=""></div>

3\. Right click on the "Users" directory and select "New" and then "User". Create a user with the name `testreset`.

<div align="left"><img src="/files/L5hqajwbBrIqKGnQDY6p" alt=""></div>

4\. Fill in the password `Testing123Testing!` and select "Password never expires" and make sure "User must change password at next logon" is not selected.

5\. Login on `FILE01` with the username `Administrator` and password `Welcome01!`.

6\. Open "Windows Explorer" and browse to `C:\Share\IT`.

<div align="left"><img src="/files/zz1Znxi9xSCoW9UQqoJM" alt=""></div>

7\. Create a directory "Scripts" and enter the Directory. Then create a new textdocument with the name `Password-reset-transferuser-testscript.ps1` and place the following content inside it:

```
$password = 'Testing123Testing!'
$credentials = New-Object System.Management.Automation.PsCredential("amsterdam\testreset",$password)

Import-module ActiveDirectory
#Generate a 15-character random password.
$Password = -join ((33..126) | Get-Random -Count 15 | ForEach-Object { [char]$ })
$NewPwd = ConvertTo-SecureString $Password -AsPlainText -Force
$user = "sa_transfer_test"
Set-ADAccountPassword $user -NewPassword $NewPwd -Reset -Credential $credentials
#Display userid and new password on the console.
Write-Host $user, $Password
```

<div align="left"><img src="/files/xtegL58oxbubN9uHkPQO" alt=""></div>

8\. Download a couple bogus scripts to the server and place them in the same folder such as:

```
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/Windows%2010/CreateLocalAdminAcc.ps1
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/ActiveDirectory/Add-UsersToGroup.ps1
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/ActiveDirectory/CleanupDisabledUsers.ps1
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/ActiveDirectory/Get-ADUsers.ps1
wget https://raw.githubusercontent.com/ruudmens/LazyAdmin/master/ActiveDirectory/Get-ADComputers.ps1
```

## Attacking

### How it works

During our pentests I often find shares that are accessible for all users and often there are some credentials to be discovered in either configuration files, scripts or Microsoft documents(`.doc`, `.xls`) made to store passwords. Sometimes there even is a NAS that allows null session and read/write on all shares.

### Tools

*

### Executing the attack

The attack is executed from the perspective of already having discovered the IT Share on `FILE01` and having access to it.

{% content-ref url="/pages/0GXLOMc0L3j6WXGKWSIQ" %}
[Discovering Shares](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/page-3.md)
{% endcontent-ref %}

1. For having easy access to look at the share login as `noah` with the password `haoNHasAStrongPassword321!@` on `WS01`.
2. Open File Explorer and browse to `\\file01\Data`.

<div align="left"><img src="/files/DyA0mj8WYDQDjd7K0EnJ" alt=""></div>

3\. Open the IT directory and then the Script directory.

![](/files/fVlPhZJZkdVVEX5xjAPl)

4\. While looking through the scripts we see that the script `Password-reset-transferuser-testscript` has login credentials saved in the script:

![](/files/C5Skg8ObCutBySRtk1MF)

5\. The password for the user `testreset` probably is `Testing123Testing!`. After reading through the code it seems that its a script to reset the credentials of the user `sa_transfer_test` with the credentials of `testreset`.

We can easily test this by starting a new PowerShell session as this user by opening powershell, then in the taskbar right click on it and shift right clicking on Window PowerShell and then selecting "Runas as different user".

<div align="left"><img src="/files/KKliT6EkD7rCU3bSPBNg" alt=""></div>

6\. Copy and paste the credentials and click on "OK". A PowerShell window opens, type `whoami` to check if we are running as the `testreset` user:

<div align="left"><img src="/files/CM6NTYjShPaxE5SzIuwS" alt=""></div>

On the following page the ACL's this account has will be abused by resetting a password from another user:

{% content-ref url="/pages/y3WVp5205BvoV7yAhZ6U" %}
[ForceChangePassword](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/forcechangepassword.md)
{% endcontent-ref %}

## Defending

### Recommendations

* Don't save credentials in readable files.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/page-3-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.