We can extract the user's hash using a tool called DPAPImk2john.py. Since we have the master key file and the SID PS D:\AppData\Roaming\Microsoft\Protect> ls. The user's master key, which is used as the primary key when decrypting DPAPI blobs, is protected by the user's password and is stored encrypted in the file AppData\Roaming\Microsoft\Protect\, where the SID is the security identifier of the user. As described by Microsoft's official documentation, only a user with login credentials that match those of the user who encrypted the data can decrypt the data. Saves the encrypted AES passwords in a file inside the AppData folder, called Local State.Ĭoncatenates the initialization vector with the ciphertext and saves them in a file inside the AppData folder, named Login Data.īut how is the private AES key protected?Ĭhrome uses a Windows function from the DPAPI (Data Protection Application Programming Interface) called CryptProtectData, which, as hinted by its name, can protect data using the current user's password. It is interesting to see if we can read the passwords if any. It is known that Chrome provides a password manager to users. After a quick enumeration, we can find a Chrome subfolder. Chrome's password manager 🗝️īy reading the description, we know that we need to search for credentials. It contains settings and other information needed by Windows applications. Given the AppData folder, can you retrieve the wanted credentials? Challengeįor this challenge, we are given the suspect's AppData folder.ĪppData is a hidden folder located in C:\Users\\AppData. Miyuki has seized the hard drive of one of the members, and it is believed that inside it, there may be credentials for the Ransomware's Dashboard. This case is the number one priority for the team at the moment. They never restore the encrypted files, even if the victim pays the ransom. This division's goal is to target any critical infrastructure and cause financial losses to their opponents. Miyuki is now after a newly formed ransomware division that works for Longhir. Using the latter, get the private AES key and finally decrypt Chrome's saved password. To solve the challenge, a player must retrieve the user's hash from the encrypted master key, crack the hash and decrypt the master key. This write-up will cover the solution for the medium forensics challenge named Seized.
0 kommentar(er)
