This write-up will cover the solution for the medium forensics challenge named Seized. To solve the challenge, a player must retrieve the user's hash from the encrypted master key, crack the hash and decrypt the master key. Using the latter, get the private AES key and finally decrypt Chrome's saved password.
Miyuki is now after a newly formed ransomware division that works for Longhir. This division's goal is to target any critical infrastructure and cause financial losses to their opponents. They never restore the encrypted files, even if the victim pays the ransom. This case is the number one priority for the team at the moment. Miyuki has seized the hard drive of one of the members, and it is believed that inside it, there may be credentials for the Ransomware's Dashboard. Given the AppData folder, can you retrieve the wanted credentials?
For this challenge, we are given the suspect's AppData folder.
AppData is a hidden folder located in C:\Users\<username>\AppData. It contains settings and other information needed by Windows applications.
By reading the description, we know that we need to search for credentials. After a quick enumeration, we can find a Chrome subfolder. It is known that Chrome provides a password manager to users. It is interesting to see if we can read the passwords if any.
As described in this article:
Chrome uses AES GCM encryption.
Saves the encrypted AES passwords in a file inside the AppData folder, called Local State.
Concatenates the initialization vector with the ciphertext and saves them in a file inside the AppData folder, named Login Data.
But how is the private AES key protected?
Chrome uses a Windows function from the DPAPI (Data Protection Application Programming Interface) called CryptProtectData, which, as hinted by its name, can protect data using the current user's password. As described by Microsoft's official documentation, only a user with login credentials that match those of the user who encrypted the data can decrypt the data.
The user's master key, which is used as the primary key when decrypting DPAPI blobs, is protected by the user's password and is stored encrypted in the file AppData\Roaming\Microsoft\Protect\<SID>, where the SID is the security identifier of the user.
Since we have the master key file and the SID
PS D:\AppData\Roaming\Microsoft\Protect> ls .\S-1-5-21-3702016591-3723034727-1691771208-1002\865be7a6-863c-4d73-ac9f-233f8734089d
We can extract the user's hash using a tool called DPAPImk2john.py.
python DPAPImk2john.py --sid="S-1-5-21-3702016591-3723034727-1691771208-1002" --masterkey="865be7a6-863c-4d73-ac9f-233f8734089d" --context="local" > hash.txt
And then, using john with the rockyou wordlist, we can get the user's password.
The password is ransom.
In order to decrypt the DPAPI blob, we first need to decode it.
import json import base64 fh = open('AppData/Local/Google/Chrome/User Data/Local State', 'rb') encrypted_key = json.load(fh) encrypted_key = encrypted_key['os_crypt']['encrypted_key'] decrypted_key = base64.b64decode(encrypted_key) open("dec_data",'wb').write(decrypted_key[5:])
We can now use mimikatz to decrypt the master key.
dpapi::masterkey /in:865be7a6-863c-4d73-ac9f-233f8734089d /sid:S-1-5-21-3702016591-3723034727-1691771208-1002 /password:ransom /protected
And then decrypt the DPAPI blob which is the private AES key.
dpapi::blob /masterkey:138f089556f32b87e53c5337c47f5f34746162db7fe9ef47f13a92c74897bf67e890bcf9c6a1d1f4cc5454f13fcecc1f9f910afb8e2441d8d3dbc3997794c630 /in:"dec_data" /out:aes.dec