Post

HTB • Seized

Posted Updated
By Bryan McNulty 2 min read

Seized is a medium-difficulty forensics challenge created by thewildspirit on Hack the Box that involves recovering credentials from a Windows AppData folder which are protected via DPAPI and stored by Google Chrome.

Miyuki is now after a newly formed ransomware division which works for Longhir. This division’s goal is to target any critical infrastructure and cause financial losses to their opponents. They never restore the encrypted files, even if the victim pays the ransom. This case is the number one priority for the team at the moment. Miyuki has seized the hard-drive of one of the members and it is believed that inside of which there may be credentials for the Ransomware’s Dashboard. Given the AppData folder, can you retrieve the wanted credentials?

Chrome User Data

There’s some user data for Chrome at AppData/Local/Google/Chrome/User Data/. This folder can contain all sorts of juicy info, and it might have the credentials for the ransomware dashboard. Within the standard Default/Login Data database, we can verify that chrome stores the credentials that the challenge description was probably referring to.

1
2

login_data='./AppData/Local/Google/Chrome/User Data/Default/Login Data'
sqlite3 $login_data -cmd 'select * from logins'

The returned entry has an email, ransomoperator@draeglocker.com, but the associated password looks to be encrypted. To decrypt the password, we need the DPAPI master key.

DPAPI

The master key is stored at AppData/Roaming/Microsoft/Protect/*/*, but it’s encrypted and needs to be cracked.

Recover Windows Password

We’ll format the DPAPI master key into a crackable hash using the DPAPImk2john utility from John the Ripper.

1
2
3

sid="S-1-5-21-3702016591-3723034727-1691771208-1002"
mkf="AppData/Roaming/Microsoft/Protect/$sid/865be7a6-863c-4d73-ac9f-233f8734089d"
DPAPImk2john -S $sid -mk $mkf -c local > dpapimk.john

Then we’ll crack the hash with John the Ripper and this wordlist.

1

john --wordlist=100k.txt ./dpapimk.john

We successfully crack the hash and recover the password “ransom”. Now the password we found and the associated SID can be used to recover the plaintext master key with pypykatz.

Recover Pre-Key

First we need a pre-key, which can be calculated with the unique SID and password of a user which we found earlier.

1
2

pass="ransom"
pypykatz dpapi prekey password $sid $pass

Decrypt Master Key

Now we’ll use one of the pre-keys to decrypt the master key.

1
2

pkey="87ca22100fa54e86e4a2c476f67addf6b4375933" # The first pre-key
pypykatz dpapi masterkey -o ./masterkey.json $mkf $pkey

The masterkey.json file now contains the decrypted master key.

Decrypt Chrome Secrets

Pypykatz has another tool we could use to decrypt Chrome secrets with the master key that we recovered.

1
2
3
4

pypykatz dpapi chrome \
	--logindata $login_data \
	./masterkey.json \
	"./AppData/Local/Google/Chrome/User Data/Local State"

The flag can then be found in the output from the password column.

Writeups, Hack the Box Challenges
DPAPI Windows Forensics Blue Team Medium Difficulty Intermediate Cryptography
This post is licensed under CC BY 4.0 by the author.