TryHackMe: Chrome (post #2)
a.infosecflavour
Posted on April 1, 2024
The master key used for DPAPI encryption can be found in AppData/Roaming/Microsoft/Protect/SID.
In order to retrieve the password, we need to convert the master key and this is done using this python script.
DPAPImk2john belongs to the plethora of dependencies of john.
I'll use python3 DPAPImk2john.py --sid="SID" --masterkey="masterkey" --context=local > hash.txt π
After obtaining the hash, we can crack it using john. Additional details about how to employ this tool can be found here.
With that being said, let's crack the password! π¦
There's a lot of advancing!πWe get closer and closer to the passwords stored in Google's Password Manager.
The next step is to Decrypt the masterkey. This can be done either with Mimikatz or Pypykatz. I'll continue to use the second one. π
In order to retrieve the URLs and the associated passwords, we need to align the following 3 files:
πLocal State (file type: json) (file location: AppData/Local/Google/Chrome/User Data/ Local State)
πLogin Data (file type: DB) (file location: AppData/Local/Google/Chrome/User Data/Default/Login Data)
πmaster key (file type: data) (file location: AppData/Roaming/Microsoft/Protect/)
I extract the pre-keys pypykatz dpapi prekey password "SID" password π
And now, I'll decrypt the master key trying any of the pre-key. The first pre-key is also the one that's working.
Note that -o stands for output. The output is mkey.json. You can name the file however you want, provided that it preserves the type, i.e JSON.π
Commands used:
pypykatz dpapi masterkey -o ./mkey.json masterkey prekey
pypykatz dpapi chrome --logindata Login_Data ./mkey.json Local_State
strings Login_Data | grep -i http
Also, note that the name file was changed to Local_State. Originally, you'll find it under the name Local State.
Congratulations!π
What are your thoughts so far? π€
Let me know how it goes for you. If you get stuck, feel free to leave a comment!π€
Posted on April 1, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.