TryHackMe: Chrome (post #2)

yowise

a.infosecflavour

Posted on April 1, 2024

TryHackMe: Chrome (post #2)

The master key used for DPAPI encryption can be found in AppData/Roaming/Microsoft/Protect/SID.

master key

In order to retrieve the password, we need to convert the master key and this is done using this python script.
DPAPImk2john belongs to the plethora of dependencies of john.

I'll use python3 DPAPImk2john.py --sid="SID" --masterkey="masterkey" --context=local > hash.txt πŸ‘‡

DPAPI

After obtaining the hash, we can crack it using john. Additional details about how to employ this tool can be found here.

With that being said, let's crack the password! 🦁

john

There's a lot of advancing!πŸ‘We get closer and closer to the passwords stored in Google's Password Manager.

The next step is to Decrypt the masterkey. This can be done either with Mimikatz or Pypykatz. I'll continue to use the second one. πŸ‘€

In order to retrieve the URLs and the associated passwords, we need to align the following 3 files:
πŸ•Local State (file type: json) (file location: AppData/Local/Google/Chrome/User Data/ Local State)

πŸ•‘Login Data (file type: DB) (file location: AppData/Local/Google/Chrome/User Data/Default/Login Data)

πŸ•’master key (file type: data) (file location: AppData/Roaming/Microsoft/Protect/)

3files

I extract the pre-keys pypykatz dpapi prekey password "SID" password πŸ‘‡

prekey

And now, I'll decrypt the master key trying any of the pre-key. The first pre-key is also the one that's working.
Note that -o stands for output. The output is mkey.json. You can name the file however you want, provided that it preserves the type, i.e JSON.πŸ˜‰

answers

Commands used:

  • pypykatz dpapi masterkey -o ./mkey.json masterkey prekey

  • pypykatz dpapi chrome --logindata Login_Data ./mkey.json Local_State

  • strings Login_Data | grep -i http

Also, note that the name file was changed to Local_State. Originally, you'll find it under the name Local State.

Congratulations!πŸ‘

What are your thoughts so far? πŸ€”
Let me know how it goes for you. If you get stuck, feel free to leave a comment!πŸ€—

πŸ’– πŸ’ͺ πŸ™… 🚩
yowise
a.infosecflavour

Posted on April 1, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

TryHackMe: Chrome (post #2)
cybersecurity TryHackMe: Chrome (post #2)

April 1, 2024