Yes, this is known as a "pass-the-hash" attack and described in a few places as an unsupported way to recover from a lost SSO Master password. As I mentioned, I have tried this and it didn't work. I'm not sure why.

Part of the reason may be that I don't fully understand the actual relationship between the SSO Master password and the "admin@System-Domain" password. From what I understand, you initiallly set the admin password and it is used as a Master password as well. For all I know, the admin account may later have been disabled or broken somehow. If I could recover the password somehow, I'm hoping I'd be able to use it as Master password to perform the upgrade and reset the admin account.

This mechanism was unique to vCenter 5.1, it was fixed in version 5.5