Local Password Administrator Solution (LAPS)
Group Policy Preferences (GPP)
GPP is a tool that allows administrators to create domain policies with embedded credentials. Once the GPP is deployed, different XML files are created in the SYSVOL folder. SYSVOL is an essential component of Active Directory and creates a shared directory on an NTFS volume that all authenticated domain users can access with reading permission.
The issue was the GPP relevant XML files contained a password encrypted using AES-256 bit encryption. At that time, the encryption was good enough until Microsoft somehow published its private key on MSDN. Since Domain users can read the content of the SYSVOL folder, it becomes easy to decrypt the stored passwords. One of the tools to crack the SYSVOL encrypted password is Get-GPPPassword.
Local Password Administrator Solution (LAPS)
In 2015, Microsoft removed storing the encrypted password in the SYSVOL folder. It introduced the Local Administrator Password Solution (LAPS), which offers a much more secure approach to remotely managing the local administrator password.
The new method includes two new attributes (ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime) of computer objects in the Active Directory. The ms-mcs-AdmPwd attribute contains a clear-text password of the local administrator, while the ms-mcs-AdmPwdExpirationTime contains the expiration time to reset the password. LAPS uses admpwd.dll to change the local administrator password and update the value of ms-mcs-AdmPwd.
Enumerate for LAPS
let's start enumerating it. First, we check if LAPS is installed in the target machine, which can be done by checking the admpwd.dll path
The output confirms that we have LAPS on the machine. Let's check the available commands to use for AdmPwd cmdlets as follows.
Now we enumerate available OUs
We can see an available group here which is THMorg, safe to assume the OU has the "All extended rights" attribute that deals with LAPS. We will be using the "Find-AdmPwdExtendedRights" cmdlet to provide the right OU.
The output shows that the THMLAPsReader group in THMorg has the right access to LAPS. Let's check the group and its members.
Getting the Password
We found that the bk-admin user is a member of LAPsReader, so in order to get the LAPS password, we need to compromise or impersonate the bk-admin user.
After compromising the right user, we can get the LAPS password using Get-AdmPwdPassword cmdlet by providing the target machine with LAPS enabled
Last updated