Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  1. Active Directory Attack Lab: Recon-to-Root
  2. Exploitation Phase

10. Abuse ForceChangePassword Right via RPC

We discovered alfredo can reset another user’s password (e.g., sysadmin)

If an account has ForceChangePassword rights, it can reset another user’s password without needing the old one — a major privilege escalation path.

Tool Used: net rpc

Used to interact with Windows systems and Active Directory domains over the Remote Procedure Call (RPC) protocol. It allows administrators and penetration testers to perform various domain-related tasks.

Command Breakdown:

net rpc password sysadmin 'NewPassword123' -U 'megachange.nyx/alfredo%Password1' -S 192.168.10.4

  • net rpc password: Tells the system you want to change someone else’s password

  • sysadmin: The target user whose password you want to reset

  • 'NewPassword123': The new password you want to set

  • -U 'megachange.nyx/alfredo%password1': Authenticate as alfredo (who has ForceChange rights)

  • -S [TARGET_IP]: The IP of the domain controller

What happens?

If alfredo really has ForceChangePassword, this command: ✅ Changes sysadmin’s password ✅ Without knowing the old one ✅ Giving you full control of sysadmin

Next Step?

After the password is changed, you can log in as sysadmin using:

netexec smb [TARGET_IP] -u sysadmin -p 'NewPassword123!' --shares

If sysadmin is a Domain Admin, you're now root in the domain .

Previous9. Set Up Neo4j and Launch BloodHound GUINext11. Validate New Credentials via WinRM

Last updated 24 days ago