Tags: forensics
Rating:
Inside `AppData\Local\Google\Chrome\User Data\Default\Login Data` (can be opened with SQLite) we have credentials for user `[email protected]`. The password is unreadable as it's still encrypted using DPAPI of the original computer.
Inside `AppData\Roaming\Microsoft\Protect\` we have the DPAPI certificate. It's password protected with the password of the original computer/windows account.
Using DPAPImk2john.py bundled with John The Ripper, we extract the hash to crack it with John:
```
python DPAPImk2john.py -S S-1-5-21-3702016591-3723034727-1691771208-1002 -mk ~/S-1-5-21-3702016591-3723034727-1691771208-1002/865be7a6-863c-4d73-ac9f-233f8734089d -c local > hash.txt
./john --wordlist=rockyou.txt hash.txt
```
John reports that the password is `ransom`
Using mimikatz we extract the master key of the DPAPI certificate
```
dpapi::masterkey /in:"H:\Repos\ctf\HTB Cyber Apocalpyse 2022\Forensics\forensics_seized\AppData\Roaming\Microsoft\Protect\S-1-5-21-3702016591-3723034727-1691771208-1002\865be7a6-863c-4d73-ac9f-233f8734089d" /sid:S-1-5-21-3702016591-3723034727-1691771208-1002 /password:ransom /protected
```
=> 138f089556f32b87e53c5337c47f5f34746162db7fe9ef47f13a92c74897bf67e890bcf9c6a1d1f4cc5454f13fcecc1f9f910afb8e2441d8d3dbc3997794c630
Using mimikatz we decrypt chrome's stored credentials
```
dpapi::chrome /in:"H:\Repos\ctf\HTB Cyber Apocalpyse 2022\Forensics\forensics_seized\AppData\Local\Google\Chrome\User Data\Default\Login Data" /masterkey:138f089556f32b87e53c5337c47f5f34746162db7fe9ef47f13a92c74897bf67e890bcf9c6a1d1f4cc5454f13fcecc1f9f910afb8e2441d8d3dbc3997794c630
```
URL : [https://windowsliveupdater.com/](https://windowsliveupdater.com/)
Username: [email protected]
* using BCrypt with AES-256-GCM
Password: HTB{Br0ws3rsC4nts4v3y0un0w}
Src: [https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords)
Author: [https://lesley.co](https://lesley.co)