DEV Community

Cover image for TryHackMe: Chrome (post #2)
a.infosecflavour
a.infosecflavour

Posted on

TryHackMe: Chrome (post #2)

The master key used for DPAPI encryption can be found in AppData/Roaming/Microsoft/Protect/SID.

master key

In order to retrieve the password, we need to convert the master key and this is done using this python script.
DPAPImk2john belongs to the plethora of dependencies of john.

I'll use python3 DPAPImk2john.py --sid="SID" --masterkey="masterkey" --context=local > hash.txt 👇

DPAPI

After obtaining the hash, we can crack it using john. Additional details about how to employ this tool can be found here.

With that being said, let's crack the password! 🦁

john

There's a lot of advancing!👏We get closer and closer to the passwords stored in Google's Password Manager.

The next step is to Decrypt the masterkey. This can be done either with Mimikatz or Pypykatz. I'll continue to use the second one. 👀

In order to retrieve the URLs and the associated passwords, we need to align the following 3 files:
🕐Local State (file type: json) (file location: AppData/Local/Google/Chrome/User Data/ Local State)

🕑Login Data (file type: DB) (file location: AppData/Local/Google/Chrome/User Data/Default/Login Data)

🕒master key (file type: data) (file location: AppData/Roaming/Microsoft/Protect/)

3files

I extract the pre-keys pypykatz dpapi prekey password "SID" password 👇

prekey

And now, I'll decrypt the master key trying any of the pre-key. The first pre-key is also the one that's working.
Note that -o stands for output. The output is mkey.json. You can name the file however you want, provided that it preserves the type, i.e JSON.😉

answers

Commands used:

  • pypykatz dpapi masterkey -o ./mkey.json masterkey prekey

  • pypykatz dpapi chrome --logindata Login_Data ./mkey.json Local_State

  • strings Login_Data | grep -i http

Also, note that the name file was changed to Local_State. Originally, you'll find it under the name Local State.

Congratulations!👏

What are your thoughts so far? 🤔
Let me know how it goes for you. If you get stuck, feel free to leave a comment!🤗

Top comments (0)