0xma Cyber Security Articles




May 24, 2022

Retrieve LAPS (Local Administrator Password Solution) Credentials

In this tutorial, we will see how to retrieve the LAPS (Local Administrator Password Solution) password from the system. We will start by adding a user to the LAPS group. And once the user is part of the LAPS group, we will see how to retrieve the LAPS password and login to the target as administrator.

It shows all the available groups in the system. Note the two LAPS related groups.

Running net groups to find all available groups.

The presence of the "AdmPwd.dll" is a good indication that LAPS is being used.

Presence of admpwd.dll on the target.

Let's copy PowerView.ps1 to the target using scp.

Copying PowerView.ps1 to the target using scp.

It shows that the PowerView.ps1 script has been successfully copied to the target.

PowerView.ps1 successfully copied to the target.

Let's import this PowerShell module. Once imported, we can reset "gibdeon's" password using the Set-DomainUserPassword cmdlet from PowerView.ps1. I am doing this because I don't have "gibdeon's" password and this user alone can add other users to the "LAPS" related groups.

Resetting a user's password with Set-DomainUserPassword from PowerView.ps1 PowerShell script.

It creates an authentication object with the "gibdeon" user and the newly modified password.

Creating an authentication object with gibdeon user.

Since this user has the privileges of creating a new user, we can create a new user account.

Creating a new user.

Running net users shows that the new user account has been created successfully.

Running net users to list all the accounts on the system.

Let's add this newly created account to the "WinRM", "SSH" and "LAPS READ" groups.

Adding a user to the WinRM, SSH and LAPS READ groups. Adding a user to the WinRM, SSH and LAPS READ groups. Adding a user to the WinRM, SSH and LAPS READ groups.

Since we have added this user to the "SSH" group, it possible to SSH into this box.

Logging into the target using SSH.

The Get-ADComputer cmdlet allows us to retrieve the password. It is possible because the user is part of the "LAPS READ" group.

Retrieving the LAPS administrator password using Get-ADComputer.

Now that we have the password, we can log in to the box using the administrador (or administrator) account.

Logging into the target as administrador or administrator account.

As a side note, I have enabled port forwarding using SSH which takes all the traffic on port 5985 on the local box and sends it to port 5985 on the target box.

Enabling port forwarding on port 5985 using SSH.

It shows that the local box listening on port 5985.

Local box is listening on port 5985.

If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.