HTB • Seized
Seized is a medium-difficulty forensics challenge created by thewildspirit on Hack the Box that involves recovering credentials from a Windows AppData folder which are protected via DPAPI and stored by Google Chrome.
Miyuki is now after a newly formed ransomware division which works for Longhir. This division’s goal is to target any critical infrastructure and cause financial losses to their opponents. They never restore the encrypted files, even if the victim pays the ransom. This case is the number one priority for the team at the moment. Miyuki has seized the hard-drive of one of the members and it is believed that inside of which there may be credentials for the Ransomware’s Dashboard. Given the AppData folder, can you retrieve the wanted credentials?
Chrome User Data
There’s some user data for Chrome at AppData/Local/Google/Chrome/User Data/
. This folder can contain all sorts of juicy info, and it might have the credentials for the ransomware dashboard. Within the standard Default/Login Data
database, we can verify that chrome stores the credentials that the challenge description was probably referring to.
1
2
login_data='./AppData/Local/Google/Chrome/User Data/Default/Login Data'
sqlite3 $login_data -cmd 'select * from logins'
The returned entry has an email, ransomoperator@draeglocker.com, but the associated password looks to be encrypted. To decrypt the password, we need the DPAPI master key.
DPAPI
The master key is stored at AppData/Roaming/Microsoft/Protect/*/*
, but it’s encrypted and needs to be cracked.
Recover Windows Password
We’ll format the DPAPI master key into a crackable hash using the DPAPImk2john
utility from John the Ripper.
1
2
3
sid="S-1-5-21-3702016591-3723034727-1691771208-1002"
mkf="AppData/Roaming/Microsoft/Protect/$sid/865be7a6-863c-4d73-ac9f-233f8734089d"
DPAPImk2john -S $sid -mk $mkf -c local > dpapimk.john
Then we’ll crack the hash with John the Ripper and this wordlist.
1
john --wordlist=100k.txt ./dpapimk.john
We successfully crack the hash and recover the password “ransom”. Now the password we found and the associated SID can be used to recover the plaintext master key with pypykatz.
Recover Pre-Key
First we need a pre-key, which can be calculated with the unique SID and password of a user which we found earlier.
1
2
pass="ransom"
pypykatz dpapi prekey password $sid $pass
Decrypt Master Key
Now we’ll use one of the pre-keys to decrypt the master key.
1
2
pkey="87ca22100fa54e86e4a2c476f67addf6b4375933" # The first pre-key
pypykatz dpapi masterkey -o ./masterkey.json $mkf $pkey
The masterkey.json
file now contains the decrypted master key.
Decrypt Chrome Secrets
Pypykatz has another tool we could use to decrypt Chrome secrets with the master key that we recovered.
1
2
3
4
pypykatz dpapi chrome \
--logindata $login_data \
./masterkey.json \
"./AppData/Local/Google/Chrome/User Data/Local State"
The flag can then be found in the output from the password column.