10. Abuse ForceChangePassword Right via RPC

We discovered alfredo can reset another user’s password (e.g., sysadmin)

If an account has ForceChangePassword rights, it can reset another user’s password without needing the old one — a major privilege escalation path.

Tool Used: net rpc

Used to interact with Windows systems and Active Directory domains over the Remote Procedure Call (RPC) protocol. It allows administrators and penetration testers to perform various domain-related tasks.

Command Breakdown:

net rpc password sysadmin 'NewPassword123' -U 'megachange.nyx/alfredo%Password1' -S 192.168.10.4

• net rpc password: Tells the system you want to change someone else’s password

• sysadmin: The target user whose password you want to reset

• 'NewPassword123': The new password you want to set

• -U 'megachange.nyx/alfredo%password1': Authenticate as alfredo (who has ForceChange rights)

• -S [TARGET_IP]: The IP of the domain controller

---

What happens?

If alfredo really has ForceChangePassword, this command: ✅ Changes sysadmin’s password ✅ Without knowing the old one ✅ Giving you full control of sysadmin

---

Next Step?

After the password is changed, you can log in as sysadmin using:

netexec smb [TARGET_IP] -u sysadmin -p 'NewPassword123!' --shares

If sysadmin is a Domain Admin, you're now root in the domain .