Red Team

Recently, I found myself stumbling upon a .kdbx (KeePass Database) file as part of a backup in a CTF and needed to crack the password to gain access to the secrets contained and consequently elevate my privileges. Problem was, that I couldn’t get the hash in the right format for cracking it with john: unsupported database file version (4). So, I built keepass-rush to do so myself.

DPAPI can be useful in situations when you got an initial foothold on a Windows host and are seeking to escalate your privileges. More specifically, we are talking a scenarios where your initial access user shares their home folder with a privileged account. This is a setup that is commonly found in Active Directory contexts, when a single person is operating with 2 distinct users, 1 for their everyday work and another one for dedicated administrative actions such as managing other users & groups that required elevated privileges.